Agree with Spring, hope we find out eventually. Would someone let us all know the story, if some real details are published?
I wonder what can be done about giving these companies a real slap. What you do not want is for a huge fine to mean that the company starts cutting corners even more, so making security and sys admin functions even worse. Any punishment handed down by the courts ought to include a requirement that they pass enhanced third-party security audits ever year afterwards, and of course they have to pay for these costs. Also external experts can insist on security upgrades with the backing of a court order.