"The official line at the beginning was that investigators had been drafted in and there was no evidence to suggest member data was compromised, a stance that has since shifted to open up the possibility of data access. CAMC, however, reported itself to the UK's data watchdog, the Information Commissioner's Office, from the outset."
In so many of these cases a lack of honesty & transparency from the outset.
If in doubt, communications assume the worst case data leak scenario & warn customers ASAP
.. If it turns out the actual result was "better" than worse case scenario, then regard that as a bonus.
The BS of "minor incident". gradually unfolding over time to statements along the lines of "Ooh, crown jewels nabbed" gets tedious & irritates customers.
I'm not one of the El Reg readers affected by this, just sick and tired of seeing the same old PR drivel, when customers would be better served by honesty, even if its just "we don't know how bad it is, so assume the worst until we know otherwise"