Not at all surprised
I was a customer of theirs about 5-6 years ago, most technically incompetent ever was sincerely glad to be rid of them (was with another ISP who they took over).
From what's being said their data wasn't encrypted, in the case of credit card information this could make them liable to fines in the millions for breaching the PCI regulations if that's the case (credit card data must be encrypted from end to end.)