Re: but will they
I have no idea about US law, but under UK law the website operators would be legally obliged to hang onto the financial data of each member for six years or so, regardless of whether the user had asked for their records to be deleted. However, the financial transaction data would be fairly limited, and would only detail that User A paid the website $this_much on such and such a date, for website-based services.
There isn't actually any detail of how much data was leaked, or how much data the attacker(s) stole. I would honestly doubt that very much data could be lifted from such a company without alarms being raised; the business transactions databases and credit card databases would seem to be the prime target in such a raid, with the users' sexual preferences and so on being a much more secondary target.
The reasoning here is that whilst known-good credit card details have a ready market and a known going rate, blackmail material does not. Blackmailing people is difficult, intensive work and requires a near-psychopathic bastard to run it for best profit, with a high chance of the blackmailers getting caught either by law enforcement or by enraged adulterers. Furthermore, with photo-manipulation techniques being so prevalent these days, a supposed nude photo of some bloke doesn't have nearly the blackmail potential that it once had; all one needs to say is "That? Photoshopped, I'm much more handsome than that!" and bluff it out.
No, the reason so little data from the hack is getting published is that little data was actually taken.
Biting the hand that feeds IT
