I'd expect at least huge fine and re-evaluation of the whole contract (it could be they are unique provider that can not be replaced, but more likely there are other options). Looks like causing private data of hundred thousands of people to be stolen is regarded as a minor thing not worthy of real punishments.