Its not about the hack. Those happen. Its about either
A) Them sitting on it for two years (assuming they knew about it)
or
B) Them not spotting it for two years. Which tells you everything you need to know about how much attention they pay to security.
Either way, calling them to account is legitimate.
Seroiusly, we know attacks and leaks happen. It's how the company responds afterwards that really shows you what they're made of.