Well it was at least 3 years before that when I was working at a school that had a student use his pc in his office to spam through our mail relays for his consulting business. I bring it up because, we clearly had IPs in the logs, but the networking group sent someone out to the office anyway.... to get the MAC address, so we could close the correlate the IP of the spammer, with the DHCP logs, with the MAC on his machine.
Now this was a University office (he was a grad student), so the network engineer called campus police to let her in, but the user showed up before they did and....lol let her in! Police showed up just in time for her to tell the officer she had verified the MAC, and they took Mr Spammer off for a talk about acceptable use and how he will not be using university computer resources unless he moves to another school. (not his first offense).
So I left that job at least 2 years before 2007 so, school network admins were already looking to close gaps like that in their investigations of AUP violations prior to that, so its pretty believable to me that would want more than IP.