Luis Castillo, 23, admitted to breaking into the system and embedding malicious code that gathered and transferred the information to a file where he could easily retrieve it. He was found guilty of recklessly gaining unauthorized access and causing damage to the Texas A&M domain controller.
The man, who graduated with a bachelor's degree in computer science in December 2006, faces a maximum of five years imprisonment and a $250,000 fine. He is set to be sentenced on Dec. 10.
"We appreciate the FBI's commitment to investigating this type of crime," said Dr. Pierce Cantrell, VP and associate provost for information technology at Texas A&M University, in a written statement. "Such action and results should certainly serve as a deterrent to anyone else who might be contemplating such activities."
The FBI reported that on Feb. 28, Texas A&M technicians discovered that the domain controller of its virtual private network -- code named Ajax -- had suffered multiple unauthorized computer intrusion incidents. The school called in the FBI to investigate the breach.
Agents discovered that in mid-February, Castillo logged onto the university's VPN using his own ID and password from a wireless account located at an apartment in Oregon where he was living, according to an FBI advisory. After that, Castillo continued to try to breach a core part of the system until he successfully accessed the Ajax machine on Feb. 24. Once in, the FBI said, he embedded malware into the university's computer system that would gather and move the Net IDs and passwords into a temporary file that he could easily access.
The FBI noted that he stole data on 133,000 people.
Texas A&M reported to the court that the school spent $67,000 in its efforts to protect students and employees from the illegal or fraudulent use of their stolen information.