basically if he looses the court. 404 page may result in getting orange jumpsuit and nice check to be paid. In my opinion leaving personal information accessible to general public (i.e. no authentication needed) is a crime. Letting journalists know is not a crime. In this case AT&T is responsible for misplacing personal data, and not the guy who had free access to it. In some ways it's really similar to Aaron Swartz case, as both guys found a way to get the data, and both got sued. I would suggest looking into this case more closelly as if he ends up in jail or pays a dime, a simple misuse of some companies website and/or public API (think Google Maps, etc.) Could land you in jail