For all I know, they've given the private data to an organisation dedicated to alerting people about breaches. If they fear that the data may also have been accessed by others, that's not a reprehensible thing to do by itself. Besides the DDoS apparently being from the same author (which seems odd because those ethics are incongruous), I don't know what else they've done so I don't know that it's in violation of what you linked