"a large global company holding data on individuals in many countries across the world"
Meaning, a company that has the means and resources to ensure that something like this does not happen.
Which, subsequently, makes the breach absolutely inexcusable.
Then, of course, comes the laundry list of technical questions, including the most important : was the data encrypted and, if not, why not ?
Given the number of people affected, it would be proper to see the board resign in its entirety regardless of whether there is a proper explanation or not. That, of course, will never happen.