I did this when I was at high school with a friend. Basically the place had a shared Windows file system, and the only thing that prevented everyone from viewing it was that it was hidden in the UI. On the drive was lots of data, including some applications in PDF format - completely unprotected - full of personal information of minors.
At the time we had recently covered data protection in IT class, so we wrote up a document explaining what we did, and why it was bad, and gave copies to a few people in prominent positions (principle, head of IT, IT teacher) as well as posting it (with instructions redacted) on an internal message board.
Well of course they didn't take it very well. They threatened to expel us and call the cops, and suspended us for a week until they decided what to do. In the end a well written warning from my friend's parent made them drop the issue and let us back in. I doubt they did anything to change the "security".
At the time we had recently covered data protection in IT class, so we wrote up a document explaining what we did, and why it was bad, and gave copies to a few people in prominent positions (principle, head of IT, IT teacher) as well as posting it (with instructions redacted) on an internal message board.
Well of course they didn't take it very well. They threatened to expel us and call the cops, and suspended us for a week until they decided what to do. In the end a well written warning from my friend's parent made them drop the issue and let us back in. I doubt they did anything to change the "security".