Sure, but the fact that it’s unclear is exactly what the city is reacting to. The point of the restraining order is that they have a reasonable belief that he might have distributed it to reporters, and he’s on the record saying he might create a website where anyone can see information related to ongoing criminal investigations or witness identities.

Note that showing the data to the reporter counts as distribution. He didn’t need to do that to prove to the reporter that the data was out there. Even sending screenshots of the data would’ve been ok if he’d redacted anything remotely confidential (it would be obvious from context that the document is probably legit, and the reporter would dig in further).

If he didn’t send any sensitive data to anyone, then I completely agree with you. But pentesters generally don’t send actual data to prove a breach exists to anyone but the target of the breach. Publicizing the breach itself is fine, but the article is pretty clear that’s not why they’re going after him.