If you can see the data by iterating a single number in a URL, and there's zero authentication or verification of credentials, there's no possible way to call it malicious. The fact this family's home was raided was already a colossal mistake. The fact charges are even _suggested_ is such a joke I don't even have words to describe it.