personal information is the aim
When will these hacked companies start to believe all personal information WAS taken, rather than believing none was taken? Even if they have read-logs if the hacker has full access those can simply be deleted, and if backed up then can also be deleted from the backups, thus all traces of access can be hidden. I think these kind of ignorant statements should add to their fines.