I suspect that has to do with how the incident response is handled.
The typical cyberattack response seems to be "oops, change your password and here are a few years of credit monitoring, on us". From the customer perspective a detective control was added but nothing to actually mitigate nor repair the damage. In short, they frame the event as them being the victim of the attack instead of their customers being the victim of the data disclosure.
Contrast this with how Tylenol handled their 1982crisis. After a few of their capsules were discovered to contain a poison, their response was to very publicly protect their customers, advertising "don't consume our product" and voluntarily recalling their entire product line. Recovery was similarly publicly obvious - redesigning their product (capsules became caplets) and introducing the concept of tamper evident packaging to the world. Both being a defense that "makes sense" to protect against an adversary-in-the-middle again tampering with the product.
In short, they frame the event as them being the victim of the attack instead of their customers being the victim of the data disclosure. Contrast this with how Tylenol handled their 1982crisis.
Great observation and reference. A good milestone case regarding customer data was back in 2004 when a former AOL employee stole and sold the database to a spammer. The crime the individual was charged with basically amounted to theft of corporate data. The problem wasn't that 30 million people had now been subjected to the annoyances of spam; It was that AOL didn't get paid for it. AOL already traded and sold its customer database at will. It was essentially a marketing company that also sold online access.
While we have progressed in the US from that time (mostly due to state laws), fundamentally, we still do not own our own data.