Few missing questions
It has been over a month since this breach, and the notification is coming exceptionally late. They know exactly when the service was breached, what information was accessible, but it would seem that the start of the investigation was only extremely recent. Their auditing and alerting practices at the time were seemingly not sufficient to discover the breach ‘as it happened’ but much later. They have also not confirmed whether this was from an external escalation (customer reporting) rather than their internal controls.
Further to this they have no details on how the breach occurred and the measures that have been taken to ensure that the technique, technology or policy has been changed and/or remediated to ensure less risk of reoccurrence. It does not instill much confidence.