Perhaps, but what I can blame them for is for having very poor monitoring (50% failure rate and nobody noticed??) and poor security, culminating in this data breach.
People need to be held accountable for the security of their systems when they are storing personally identifiable information on customers or the public at large.
Edit: Perhaps they shouldn't be blamed when someone leverages a zero-day to break in, but if this is due to their failure to patch their systems, IMO their 100% liable for everything that follows.
50% failure rate is probably pretty normal for a form asking for SSN, name, address, and birth date - I fail my bank's security questions at least 1/3 of the time because things like "Anywhere Street" and "Anywhere St" are not the same.
People need to be held accountable for the security of their systems when they are storing personally identifiable information on customers or the public at large.
Edit: Perhaps they shouldn't be blamed when someone leverages a zero-day to break in, but if this is due to their failure to patch their systems, IMO their 100% liable for everything that follows.