Re: Not at all surprised
Although there are a few minor loopholes e.g. PAN (i.e credit card number) may be long term stored unencrypted but *only* if various adequately robust compensatory security controls in place - and obviously compensatory measures were inadequate based on what has happened. So you would expect a big fine (without action it's also a massive disincentive for everyone who spend time & money keeping up with regulatory requirements)