So Citi will be fined hundreds of millions of dollars and fire a whole bunch of senior management? No? Ah, very well, carry on then.
Clearly losing a bunch of details the first time round did nothing to improve their security. Blaming it on a third party is a cop-out. In the new UK anti-corruption laws, a company is liable if a third party acting on it's behalf is paying bribes. It's up to the company to make sue that it's partners are also in compliance.
Should be the same with data protection. If I entrust my customers' data to a third party, it's my responsibility to ensure that data is safe. If I'm not happy with their protections, I don't pass any data on to them.