It’s an interesting perspective for the LSEG to say (paraphrasing) “we maintain a sensitive database that we gave to a third party (presumably with some amount of vetting, since the data is sensitive) and that third party did not adequately secure it, therefore this is not a security lapse on our part”
I was going to make this point. It is of course a breach of security on their part. If a company believes that the data they collect is sensitive, then they need to take great care about the partners they share information with, including their capacity to protect it - it's a matter of common sense that the easiest places to breach will be the places suffering the data leak.
If the hackers phished the customers of the third-party and used their accounts to scrape the information in some way, would you consider that a security lapse on LSEG's part?
I’m not sure if I buy it.