Penalties for this sort of breach should be high enough to delete the company and have the directors banned from the business for life. Until that sort of thing is a strong possibility, they will continue to calculate the risk v. cost when it comes to security instead of making data security an overriding priority.
If the goal is revenge, then yes, liquidate the company and leave their employees without work and their customers without coverage.
If the goal is to deter this from happening again, we should look at what caused the situation, what permitted it, and what the final outcomes were. I suspect that "cost avoidance" was a major cause. Probably also poor understanding of the risks by the people who made decisions. This was likely permitted by poor oversight, maybe a weak company culture of integrity, and the perception that the people who benefitted from the decision were separate from those who would bear the costs.
I'd like to see some independent security guarantee, required by lenders, brokers, estate agents, and licensing bodies. They need to know whether they can trust suppliers. Clearly, they didn't.
Final outcomes are being decided now. I hope it doesn't simply add injury to those who were already harmed.