He did have permission to "enter". He was authorized to use the server.

His intent of releasing the data was bad (assuming he started with that intent!) but he wasn't committing any fraud when collecting it. He didn't bypass any authentication or damage the server. CFAA is the wrong law to use.

If a restaurant puts a bunch of proprietary documents in a dusty corner of the public lobby, you shouldn't browse through them but you're not breaking and entering if you do so. No matter what your intent is.