That is sad. There should be a some kind of TOS for public internet companies. While this kind of exploits does not hurt google but they can be very dangerous for users.
Sounds like it would be a good extension to Data Protection / Computer Abuse/Misuse Acts depending on what it allows access to. Anyone pointing out a failing in your system should not be prosecuted unless they've actually committed a crime.