It was only DETECTED on the 13th, and they suspect had been going on 'for some time'. And basically not sure if user data was touched but they suspect or haven't provided it yet buly saying'NOT'.
Your options are: (A) Vendor waits until all the facts are in place and the investigation is finished or (B) Vendor tells customers as early as practical so they can take their own mitigation steps.
You do not have the option of (C) Vendor should tell me about a breach they don't yet know about.
I'm sure they want answers too, but they're working on it, and this is what they have right now.