What forum was the data uploaded to, and how did the upload come to light? The file must have been pretty big - about 1.6GB if it had 1024 bytes per record (please check maths!)- so it wasn't uploaded by accident. Was it malicious in intent? The company seem to be implying that it wasn't. If it wasn't, what goes through the mind of somebody uploading a file that size, containing lots of PII, to a forum? Fresh air, probably.