Was it a public interface? My read is that his app was logging in to the university system with his personal credentials.
It's not clear why there couldn't be a public read-only interface for that data, and it's a shame the U wasn't willing to work with him on it rather than slap him down reflexively. But it is reasonable for them to object to his use of his personal account to enable a for-profit project.
I built a similar system once, with similar (but not nearly as ridiculous results. There was a public interface, but it was a few hours behind the private one.
It's not clear why there couldn't be a public read-only interface for that data, and it's a shame the U wasn't willing to work with him on it rather than slap him down reflexively. But it is reasonable for them to object to his use of his personal account to enable a for-profit project.