(a) Even altering a parameter once in the address could be considered illegal under the current laws.
(b) The access of information in and of itself would not be illegal alone. Say I kept a bunch of people's information in paper files in file cabinets. Then I gave you access to retrieve yours from the file drawer yourself. It is sleazy, but not necessarily illegal to look at other files in the drawer, as I have given you access to their container.
(c) Even if you want to make the action in (b) illegal, the reasonable punishment is almost certainly not a double digit prison sentence.
> Why are we acting like AT&T is an innocent victim?
No one here is. I'm not sure why no one has done anything to them, legally. It'd be interesting if someone who actually knows what they're talking about in terms of the legal system about could comment on it.
He knew what he was doing once he'd pulled down a few records.
Also, yes, ATT should be held responsible for implementing lame security.