I didn't say it's ok, if you re-read you will see I was saying worse things have happened (with some examples) yet nobody is shouting. The important point was nobody is shouting anymore after somedays and forget about it. The same thing will happen with Ledger
Why did they have all these unnecessary details?
For accounting or customer service or other things. According to the law, it is mandatory to keep invoices with customers' information and all traces of each and every transaction. It's all the businesses like that, it's just a matter of accounting using a ledger
Why wasn't it secured?
It was, but apparently, not enough, and a (group of) hacker has found a breach in the system. It doesn't mean the system wasn't secured at all
Secondly, Ledger either lied about the scale of the data breach, or they were completely unaware of the scale of the data breach until the file went public, and neither of those instill any confidence in me whatsoever
They didn't lie and had no reason to do so knowing that with the GDPR the company might be in trouble if Ledger had knowingly lied to hide the size of the incident. Not to mention the bad press it would have received.
It's just that Ledger couldn't evaluate accurately the importance of the incident, we can't blame them for that, they did what they could and even hired an outside company to audit.
Their business model is partly based on trust Ledger has no benefit in losing it, on the contrary.
They have made a series of significant security errors followed by a series of significant public relation errors regarding this data leak.
It was a strategic decision if they didn't communicate as the mass thinks they should. No matter the industry, rarely you will see a company communicating 'immediately'