this incident is really indicative of a general trend across all businesses that deal with personal data.
There were several studies, some dating back as early as 2010, that it is still CHEAPER for a company to get hacked/breached than to do any action, i. e. improve IT security, inform users that their details have been stolen, pay for customer's credit card information be "monitored".
When US banks were told that they should be issuing PIN-based credit cards (vs swipe and sign), the banks refused because they don't want to be responsible of upgrading the merchant facilities because the banks don't want to PAY for it.
At the end of the day, we're going to be seeing more of these.
Biting the hand that feeds IT
