I wouldn't expect better. Everybody sends these kinds of emails. Banks, shops, social media sites, hospitals, government... everybody. It's just easier this way for each particular site, and since data theft and unauthorized access has been successfully reframed as the victim's fault, there is no incentive not to do it.