That analogy stinks and it is not as simple as you make it. It is about intent and malicious use. Opening a door is legal too, still you can get punished if you were not allowed to open that specific door and abused the opportunity to take some stuff with you or violate someone's privacy.

The problem is not that "he incremented a number, get the sheriff" but "he incremented a number to get access to information which he that maliciously used".

Except that he "maliciously used" the data by giving it to a journalist. Sounds like an act of a whistleblower to me. His intent was to expose (and embarass) AT&T and to me the fact that he didn't like AT&T and wanted to hurt them is irrelevant.

Had he actually tried to sell the personal data OR actually shorted AT&T shares that would be very different from my point of view and be worthy of actual punishment but my understanding is that didn't happen. Given it didn't happen it should be up the prosecution to prove that he wasn't joking for that to be used as intent.

I'm a little uneasy about the idea of not prosecuting him at all though as the flaw could have been exposed by collecting a sample of the data to see the extent of it without collecting it all but I would be equally open to prosecuting AT&T for not securing customer data appropriately (I would have no problem with prosecuting both - the victims are the customers whose data was exposed by AT&T).