My guess is that from a PR perspective they might have worried that releasing the information without a definitive scope of impact would have led to days of wild panicked speculation in the media outlets, and userbase.
While there was still wild speculation, security was only one of many possible scenarios being discussed, and it was mostly treated like a regular outage.
I'm not saying this delay in disclosure was "right" (what if it had ended up worse in scope?), but I agree with sibling post (dave1010uk) that it seems to have worked out better for their brand.
Why couldn't they notify people about the hack, then alert them to it's specifics in due course? Piss poor excuse IMO.