@JonB

No, they NOW have to check all the data since there is no telling what these two have changed. It is likely they changed a lot more than just grades. Either way, they cannot take the chance. For instance, if they went in and changed the keys to some tests, it will cause problems in the future. Backups are of little use, since the majority of them will be comprimised as well. Ensuring the data is trustworthy again, will cost quite of bit of money and take time.

Also, don't tell me what they do and don't do. It's obvious you haven't taken a few things into account, and all you are doing is stating the obvious. It is rare for any system to have users re-check entered data, which is why it is a good practice to schedule audits of data from time to time.

Keep your clue for yourself. Just because something happens where you are doesn't mean it happens everywhere else. On most systems it doesn't matter hwo often you change the password or how complex it is if you have physical access.

Did this school do everything it could have to prevent this from happening? No.

Did they underestimate malicious inside users? Yes.

Was physical security and user security training poor? Yes.

Does this provide any excuse for the students who hacked into the system? NO.

If you let someone into your house, and they steal something when you are not looking, or damage something while they are there... are they not liable because you let them in? Does this mean your security is poor?

By the way, if physical security is so lax. Then keeping grades on paper are just as vulnerable. A student could break into a room where they are kept and make changes... Here's your sign.