I wonder if the customers affected could sue VM for a breach of private information under GDPR?
On the subject of the latest report, it shows why sites shouldn't be automatically blocked, because requesting a site be unblocked puts a spotlight on the customer. If VM (and maybe others?) make it so everything legal is unblocked, then if the customer wants to block a site then that would be less valuable information to hackers if it got out.