The company lays out the details of their investigation and though it is in Dutch it was interesting that the conclusion was largely due to "someone" leaking the information about the hacker. It raises a couple of questions, if you were a security company and obviously not going to get anywhere would you hack a company's user database (regardless of the legality of the service provided) and say that it was leaked by "some" hacker to avoid being charged yourself? Also, is it not a bit odd that the information that brought down the hackers was still retained 9 years after the attacks? Or that being stupid once, 10 years ago, can still bring you down. Should there not be a push for statute of limitations on cyber crime?
Sorry, the link is in Dutch.