Re: Not too bad, all things considered
I'm inclined to agree with jmch.
While there is some residual risk fo taking 10 days to notify, it's probably better average for something of this size.
it practice it does take a bit of time to confirm it's actually happened, evaluate exactly what data has been taken, and which people need notifying.
They could have used the 2 step-model; of a general "something has been breached, be alert, details to follow", followed by a "this does/doesn't actually imapct you peronsally, in this way...", but I guess that's being balanced vs reputational damage risk of broadcasting a worse meessage than they actually need to.
I guess