If your security consists of
a) A poorly maintained barb-wire fence
b) A gate manned by a 75-year-old semi-dead/blind security guard named fred
And records are stored in a big box just inside an unlocked door easily accessible to anyone, then yes... they would be responsible.
It's not that they weren't a "victim" of hacking, it's that their terrible data retention and security practises put customer-data at risk and enabled the hacking.