They don't seem to know who did it, but they already know that the hackers were state sponsored? That seems really fishy.
Firstly, when you eventually get hacked IT IS NOT YOUR FAULT.
It's not your fault *THE FIRST TIME*. However, if you get hacked again after implementing fixes, it certainly IS your fault. It's cheaper to do nothing, but when you get hacked, you must do something, and it must be something to implement better security, and notify your users. Taking TWO FUCKING YEARS is way too long.
The cost of feathers has risen, even down is up!