[DanBC]

Regulators don't care if you're hacked.

What they care about is how much data you had (and did you need all of it), did you tell the users, have you put things right, had you done anything to protect the data?

If you have a lump of data that you don't need, that you store with no attempt at encryption, and it's held behind software that you haven't bothered to update even though security patches have been released then yes, you're going to be regulated.