Not sure why you are focusing on the PII scenario. The original report seems to say it is just "unsecured databases" and not databases that have PII information posted.
You are also making an subtle assumption that the service is being administered by a 3rd party. Could be that the service is being administered by the owner of the data.
The folks hit didn't have backups (if they did, well anyone can restore them), nor did they secure their db. One is forgivable. Both together get no sympathy from me. Rather disgust that some of them had PII from customers that trusted them.
More justification that this is an appropriate way to teach people a lesson. You don't seem to care at all what the impact might be on those affected. You are in affect encouraging the criminal behavior because the ends justify the means, apparently.
While I understand the concern that organizations aren't taking proper care to protect their data I think legitimizing vigilante punishment for those mistakes is a very problematic stance.
You are also making an subtle assumption that the service is being administered by a 3rd party. Could be that the service is being administered by the owner of the data.
In any case it is still wrong to delete the data.