Re: Mixed feelings here
Unscrupulous companies generally do not consent to white-hat hacking attempts, nor do they obtain the informed consent of their innocent victims. If protecting the innocent is your goal, you have to play hardball.
Speaking as a sysadmin, an anonymous hacker could get my attention by shutting down services. If I see signs of intrusion, I'll shut down the server and raise the alarm. I believe my current clients would do the right thing. Some site owners, however, would just fire me and find a code monkey willing to do the bare minimum to get the site running again.
In lieu of strong privacy laws, you have to wage a PR war against these jokers. It's not easy. You can't just leak everything. You can't announce that the site is insecure, thus inviting black hats. Probably the best you can do is to grab all their code/config to find more holes, and install backdoors, then keep taking the site down while anonymously leaking redacted evidence all over the internet, until the company closes up shop.
Again, easier said than done. Ideally "we" should legalize hacking (and grant immunity from lawsuits) and criminalize sloppy security/privacy practices instead. With prison time for proprietors, officers, directors, managers, sysadmins, devs... I guarantee nobody would touch other people's private info after that.