It depends on the crime though right? This was all legacy data and from the description the worst thing they got was contact information that's five years older or more ("internal operational documents and merchant onboarding materials at that time.").
For that level of breach their response seems about right to me, especially waving the money in ShinyHunters' face before giving it away to their enemies.
I agree, it depends, but this wouldn't be the first time company underplayed (or simply lied) about the extent of the breach. I am sure even if it was current data or a more serious breach, the messaging would be similar from their side.
For that level of breach their response seems about right to me, especially waving the money in ShinyHunters' face before giving it away to their enemies.