[Generalization] Companies are not ethical, they are rat bastard pieces of crap that care only about profits and money and give a fuck all about consumers.[/Generalization].
As such, being hacked doesn't immediately mean a financial or business impact. Hackers stole 100,000 encrypted database tables, well so what? Do you disclose worst case scenario if they attackers can decrypt them or do you just assume they won't be able to break the encryption. My bet would be companies would go the later route. Also translating lost data into dollars usually looks really bad. For example.
When prosecuting the case and determining damages, they will include the cost of reporting to each individual effected, labor, envelopes, stamps, etc. At a 2-3$ per person this adds up quick. That doesn't cover loss of revenue, business deals and who knows what. So on one hand you want to stick it to the people who attacked you but not spook your investors. Tricky situation, most companies instead just sweep it under the rug.