The article did not say what exactly happened., so I will reserve judgement. It reminds me of a case some 15 years ago. A guy received a URL from a utility company to get access to his data. The URL was in the form, http://www.utilitycompany.com/somelo.../accountnumber. Our guy was lazy and typed the URL in the browser without the last bit and - what should happen but get a page with a list of all the accounts, allowing hi. to go in and see anyone else's data: not just consumption but also full name and address and bank details. This guy went ahead and notified said utility company, prompti.g them to close this gaping security hole. So what did they do? Accuse him of hacking and pressed charges against him. Eventually they were forced to silently drop the charges and it was only then that our guy went public. Whenever I read a story like this, my judgement may be influenced with this story. For all we know, this story may have been very similar. Or not.