Hate on "We take security of your data" is a new hype, but grandparent and OP actually contained blame shift:
> security compromise of the third party vendor
> collected by the independent vendor <...> may have been compromised
This is the case of "sorry for my friends, I'm doing the best I can", which is entirely different situation than "I accidentally slept with your best friend, but I value our relationship" kind of PR.
If they "took security seriously" they would work with vendors who take security seriously. Wonder if they'll drop these guys as vendors now that they are proven to not take security seriously...
How do I know the hack was due to their incompetence? PR people need to come up with a better approach.