This guy is not a hacker. Script kiddy at best. They can surely find something legitimate to put this guy away for a little while and he probably deserves that. This however sets such a bad prescedent. You didn't even need a script to do this as a single CURL command with numeric range wildcards would have done the trick.
The real reason this blew up was because of what it meant to the security of people who were listed. The real fear was that someone was going to figure out how to use the ICC-ID to target the people who were exposed. The list was a who's who of government, defense, and private industry. AT&T didn't protect the identity of these people who were all walking around with 3G iPads who could be identified via their email addresses. So you could electronically tie iPads to specific people.
The moral of the story is to not mess with the man. He can put you away for years even if what you did doesn't amount to anything. They can call you a hacker, terrorist, etc and reality doesn't matter. Perception by people that just don't understand is what you are left with.
He should argue he didn't have a jury of his peers. The people who understand what he actually did cannot believe this has moved forward and now been successful. The guy is a duche, but the precedent is an epic fail.