"victim blaming – commonplace in infosec – isn't helpful"
When the hack occurred because the victim wilfully ignored standard procedures, allowed known holes to exist in their infrastructure and acts like Experian, Uber or Talk Talk then they deserve to be shamed and there are no lessons to learn.