Being part of IT does not require different thinking. Vulnerability testing is a good thing in the physical world too. And it's also very often illegal without the prior consent of the owner. This is partially because it's pretty much impossible to know with 100% certainty what someone's true intentions are. But also partially because the tester might cost the owner lots of time and money that could have been avoided had the tester simply informed the owner beforehand.
I don't think he should have been expelled; his expulsion was obviously political. But he really should have contacted the company and gotten their permission in writing first.
Remember, people can do bad things even with good intentions.