The difficulty I see is that even a minor breach can have associated consequences.
Consider for example a sporting club with an online portal for court bookings or classes etc. There is nothing confidential in there, it's all printed out on the noticeboard anyhow. But their server remained unpatched for years as they can't afford an IT BOFH and now their mysql backup files are popped.
OK, so nothing confidential had been exposed, and the passwords are all at least hashed, even though it is unsalted md5 (which we knew not to use even 10 years ago *cough* Yahoo! *cough*) but by my reading this would definitely be a minor breach.
The problem?
* Any common md5 password can literally be cracked by googling the hash. Or hashcat will find it very quickly if less than 8 characters.
* Most people use the same password for multiple services.
So now someone has their email account popped and from there password resets on other services.