It seems to me that the fundamental problem is not that they got hacked (although it seems that storing a decryption key in the same directory as the encrypted data is over the top careless), but their response to the disclosure that they got hacked. I realize that there may be limitations on exactly what they can say, but they should be as open as possible on what may have happened, what they are doing to protect their customers, and what their customers should do to protect themselves. Customers taking action when there wasn't a breach is less of a problem than not taking action when there was, in fact, a breach.