Bold move. If it were an American company, they would have been open to violations of the CFAA. I'm surprised Britain doesn't have an equivalent.
For any aspiring hackers or InfoSec types out there reading this: Never, under any circumstances exploit a system you have not gotten express permission to.