" I would have expected from 10 years to a life ban."
No that's for when the company is actually trading fraudulently.
A subsidiary question would be did the get the database by a breach of trust or by breaking the other companies security.
One is obviously unethical. The other demonstrates (misapplied) skillz.
I await the full write up with interest.