And the customer's customers?
It appears that ABBYY has acted reasonably responsibly*; I wonder if the customers whose data have been vulnerable have been informed by the unnamed third party?
* Apart from allowing a DB 200k+ records to be misconfigured and left in a "public" place of course.