To be fear, they did not just publish a negative blog post about WeWork as the title may suggest, but somehow obtained proprietary data WeWork probably sees as a trade secret.
As I understand it is currently unknown where the author got the data. If WeWorks published this in a publicly available API it is of course reasonable to chart it, but if the author somehow misuses the access he got as a tenant there, this is not (in my view) just an issue about the author publishing a negative blog post as the title indicates.
it's my understanding the API they used was undocumented, so while it's WeWork's fault for not doing a better job securing an API that seems sensitive to them, it's also disrespectful to do something that you're pretty clearly not wanted to be doing
IANAL but you can be in trouble even if the data is openly available but the party managing the data deems it restricted in any way. I believe this is the reason security researchers get in trouble: they access data that is considered restricted and get prosecuted for "stealing" it.
I think the logic to that is something akin to: its illegal for you to take my car even if I leave it unlocked with the keys in it.
The company has to communicate that the data is restricted, they can't just deem it restricted after the fact. Usually when companies or individuals (eg. 3Taps & Aaron Swartz) have gotten in trouble under the CFAA, it's been because they've been served a C&D or IP-blocked and then persist in accessing the data, which the courts have upheld as "knowingly and intentionally accessing a computer without authorization".
In this case, WeWork is within their rights to terminate ThinkNum's membership for the ToS violation, but there's no legal case unless ThinkNum persists in scraping WeWork's data after the termination, or there's evidence that ThinkNum knew that the API was restricted at the time they accessed it. Hence the founder's repeated insistences that he did nothing wrong, and coyness in discussing the source of the data.
Where's the line between "scraping" (prohibited) and reading (allowed) of the API data?