The other thing to bear in mind, other than doing the right thing for themselves and their customers in terms of data security, the breach included credit card information which is governed by the PCI regulations and is a contractual commitment between the merchant (BA) and their acquiring bank that processes their card transactions. Irrespective of if people think BA were unlucky here (which they were not) they had committed to maintain the security of cardholder data to their bankers and they clearly failed.