How do you know? (Note that the point of a punitive lawsuit is not only to encourage the culprit not to do it again, but also to encourage other potential culprits not to do it again.)
I guess the answer is "because it was just a mistake", but (1) not informing their customers promptly when they found they'd made a disastrous security screwup wasn't just a mistake, and (2) since they themselves say they're improving their procedures in response to the incident, it seems clear that there are things they could have done that would have either avoided the just-a-mistake or mitigated its consequences.
I guess the answer is "because it was just a mistake", but (1) not informing their customers promptly when they found they'd made a disastrous security screwup wasn't just a mistake, and (2) since they themselves say they're improving their procedures in response to the incident, it seems clear that there are things they could have done that would have either avoided the just-a-mistake or mitigated its consequences.