The college has screwed up, first, by demonstrating draconian measures applied to misconduct case, reminding me of cruelty in medieval history (hey, it's Canada, and XXI century, isn't it?), and second with poor judgement that shows incompetency of professors in basic information security and privacy questions.
There's a website calling for support of the student http://www.hamedhelped.com/support/ - they are asking for re-instantiation and public apology. I've signed, but I think the guy has no problem anymore - he has got enough PR so he'll find a job or a new scholarship easily, but a more appropriate action against the college would be a privacy lawsuit, representing other students. If the college was not supporting ethical hacking (rather fighting it and retaliating harshly), especially after having discovered a real issue, it means, the college was covering up the criminals (in this case, software company who due to their negligence, lack of testing or other reasons, could let the security flaw happen). I think it's somewhat questionable whether or not a software company itself is criminal, and, perhaps, they've covered their ass with a bunch of legal disclaimers, but willfully covering it has clearly criminal intent - college should pay punitive damages to victims that had their data exposed.
Again, I say all this only assuming that the news are based on true facts and do not hide other important facts. Got ready with popcorn and will be watching more news on this as they come :)