Re: January? March? Which is it?
Going to have to hypothise, but the time taken for a hack to be discovered and learning the extent of a breach are not always the same thing. They may have had to arrange a third party to come in to search through (perhaps?) incomplete/scant datasets and correlate evidence of what was actually exposed (and maybe they cut costs there too).
Customers should have been informed, countermeasures should have been put in place to secure personally identifiable data, money should have been spent by Easyjet (hah!). I don't have a high opinion of Easyjet (hence this borderline rant) and maybe they didn't take this seriously enough, but there that is why I believe they may have delayed informing customers (crossing their fingers it was something insignificant).