Is this to purposefully increase likelihood of getting caught in a spam/phishing filter? So they claim they've reached out while also (probably correctly) claiming it's not their fault if customers didn't get it.
Interesting theory. My theory was that there's incident management contractors get this sort of business and don't want to bother integrating with any existing company's infrastructure, so they just set up something entirely different.
Probably not so much "don't want to bother" as "can't do it in a timely manner because of the company's internal processes"
Once of the companies I work for has all kinds of crazy domains because the IT department and the Communications Department don't get along the way they should.
Close to my theory! Basically, they need to send out millions of email fast. This email, with a bunch of legal text will probably have a high 'mark as spam' rate. This will destroy the domain's marketing ability. SO! The marketing guy won the argument in the meeting: don't use the root domain.
I think the stated reason is usually "a single place users can go to directly", the least nefarious reason is that they don't want to associate the breach with their main site, so only affected or inquisitive customers will know about it.