[SengirV]

You have brought up the only true concern in all of this. But as any computer security expert would say - If you can get physical access to a machine, you can compromise it. This example is almost that. Giving someone complete, unfettered access to a machine like this means that it is not in any kind of secured state.

The person who did it says "It wouldn't have mattered" if they did not issue accounts and opened up SSH. But has yet to display this ability.

[Senator Bedfellow]

If you have unrestricted physical access, you will inevitably compromise the machine. In a lab environment, you have physical contact with the machine, but it is hardly unrestricted access insofar as someone's likely to notice you rebooting the machine, plugging in your own hardware, or pulling out your screwdrivers and going to work. You should not be able to compromise the machine merely by sitting down and logging in, and that's what happened here.