This smells really funny. They could have buried this instead of going to court (with a 1+ year delay!) and committing PR seppuku by making this public and giving their clients a reason of distrust. Now, this is indeed the right thing to do, the guy shouldn't go unpunished and they should disclose their security breach, but if they are doing it for the "right" reasons, why is it 1 year later?