I'm sure that in this situation and legal climate, the only way they could've potentially avoided a lawsuit was to try and keep it quiet (to the detriment of their user base.)
Sadly, doing the right thing just makes you a target.
Potentially. But see how Lastpass dealt with a potential breach [1]. Have not heard of them being sued. I don't think "cover it up to avoid getting sued" is the right message.
I'm sure that in this situation and legal climate, the only way they could've potentially avoided a lawsuit was to try and keep it quiet (to the detriment of their user base.)
Sadly, doing the right thing just makes you a target.