No attack is accidental. If a vendor fails to follow appropriate operational security, it is certainly the illegal actors fault. But it is also the fault of the vendor's negligence, and might also be the fault of whoever failed to properly vet the vendor. All three are potentially culpable.
Moreover, I took the parent comment to be referring more to customer flight rather than some judiciary judgement. 'I got mugged' is not what you want to hear from the person entrusted with your data security.