This is always a bit of a tricky situation - and though the specific law varies from country to country, the general gist tends to be the same. Unfortunately, it doesn't fall on the side of "that was a stupidly obvious flaw that should be fixed and you didn't do anything destructive so there's no way you're being prosecuted over that." I genuinely wish it did - but unfortunately this is one of a few areas where I don't agree with the law.
Lowndsey's view is unfortunately one that the legal system would most likely take (if it got that far, I'm not trying to scare you here!) My view is that it's more akin to seeing a door open, thinking it looked a bit strange, then leaving a note there to warn the owner it's a bit of a silly thing to do... but anyway.
I can genuinely empathise in this situation, I've been in a similar mess before. This involved seeing that a network share was open that probably shouldn't have been and then directly reporting it. It didn't go down well in the slightest.
The point is even seemingly trivial, minor things such as this can be taken very seriously. It's probably not the note they're worried about, it's the fact that since you had access to a share you shouldn't have, you might well have been able to look at information they didn't want you looking at. At least that's the line they'd try to push.
However, relax. There are a few reasons why I don't think this particular situation will go anywhere:
- Presuming you didn't steal information, they'll have no logs or anything to prove that you accessed any confidential files. Without proof, they can't really win that one.
- Even if this was classed as an "attack", it was a remarkably trivial one. It doesn't render it lawful, BUT if the company does take you to court over this they're publicly proclaiming that their systems are about as secure as an unlocked garden shed. No company, small or large, wants that kind of publicity.
- There's no way they can argue your actions were malicious; if anything it was the opposite.
- You're a 19 year old clearly just trying to make a bit of money on the side, not a 30 year old who's had multiple records for this sort of thing.
- Once the company has calmed down and realised that nothing actually happened, chances are they won't want to fork out for lawyers and the like to take this to any serious level.
Also, did you sign anything related to use of IT equipment? If not, you're in a much much stronger position.
So based on the above, I really wouldn't worry. That said I'd also seriously second root's recommendation of a letter - it can't do any harm, and could help your case a lot by clearly stating your intentions.