[thr0wawayf00]

"Breach" is a legal term, and although IANAL, it seems semantically correct here. When anyone outside of your organization gains access to sensitive information in your systems, regardless of their intent, that is a breach and these guys accomplished that. PCI and all of those other security protocols and programs don't draw the line at white-hat access vs black-hat access.

[batch12]

I agree mostly. I don't think an unsanctioned assessment that goes this deep is pure white hat. It seems firmly gray to me.

> PCI and all of those other security protocols and programs don't draw the line at white-hat access vs black-hat access.

PCI mandates penetration tests. A white hat finding as a pentest isn't reportable as a breach. This one may be unless some gymnastics are used to call it an authorized test.