Re: Good for them not to pay up!
Re the 'best locks' ... Actually under DP rules you do expect them to get the best locks they can afford. DP principles require security to be 'appropriate' so what this company should do needs to be appropriate based on their available finances and situation.
While you might not expect them to have the same level of technical security as HMRC or the NHS you would expect them to have more sophisticated tech than an accountant who is a Sole Trader.
If they haven't employed obvious security measures such as patching and the like they would have breached GDPR.
All that said the fact this is a criminal attack would be mitigation against any enforcement action.