[pnt12]

Seems outlandish. Citation needed? I'm aware of a couple of cases in the US, but not all over the world.

Secondly: can consumers be blamed for gross negligence? It's not reasonable for a bank to post account balances in public billboard and ask people not to look at others. We should contest when private data is available publically, hidden only by small obfuscations, not professional security practices.

[mpeg]

So for example in the UK with the computer misuse act, intent matters. If you intentionally change an id because you expect you will be able to access other data it becomes a crime.

Your example is flawed because in this case the private data was not made available publicly at all – you need to intentionally exploit a software flaw to access it.

Of course, it also matters how you handle it. If you do enough to just discover the flaw, try to adhere to the bug bounty program scope (if any), use your own accounts in testing and responsibly disclose any findings as soon as you have a poc then you'll probably be ok.

In this case the author went way beyond just finding the flaws, and then disclosed it publicly in a completely irresponsible way without even trying to contact the company or any of the clients affected by it (some of which will certainly have a security contact that can liaise with the vendor)

[pnt12]

I concede that intent matters.

Maybe a better analogy is a bank with open lockers and no vigilance: if someone enters and steals money, the police will look for them, because "the coffers were open" is not a valid defense. But customers will also demand answers from the bank - why were they so negligent and incompetent that someone can just enter and get their money?

We should hold similar values for digital systems.

Was the author's intent on stealing private data and causing harm? Did he gain from this abuse? Did the company take enough measures to safeguard their data?

Companies have been mostly not held responsible for their fuck ups, and no matter the law, that's wrong to me.