They were a business taking other people's data, and those people entrusted them with its safekeeping.
If my bank accepts my valuables and stores them, they're legally and morally responsible for taking reasonable precautions. Piranha moats are probably out, but vaults with timed locks are not. If the bank doesn't put locks on the doors and leaves the vault open then yes the thief is responsible for the theft, but the bank is responsible for the theft *succeeding*.
Same here. While the attackers is as asshole and responsible for extortion and destruction of property, it's the companies unsafe practices that allowed this to succeed and be more than a minor disruption of service. And having full control over *all* data AND their backups from one single, internet-accessible control panel is not just unsafe, but idiotic. It sounds like this company was started by some kids that liked to "play business" or a bunch of finance managers with a nephew that "did something with computers". But not by serious sysadmins.