They informed authorities, just as required by GDPR article 33, a good question is whether they reacted within 72 hours of finding out, given that the breach is from 2015. They seem/claim to be compliant with article 32, but I guess they should be investigated.
See section 2 here: http://www.privacy-regulation.eu/en/index.htm
