Ooooops.
While there are plenty of people who will tell you that a five-day turn on a million-plus breach is pretty responsive, you won't find that attitude in the press, you won't find it among Monster's compromised users.
The lesson from this is that whatever the nature of a security breach, you must mount a zero-day response. That means now, immediately, pronto, post-haste.
If your company gets breached, take a (quick) deep breath, get your recovery teams to work and start getting to work on getting the word to affected customers, vendors, contacts.
The consequences won't necessarily be any easier to swallow, but you'll at least be swallowing them without the unwanted seasoning of charges of denial, or, worse, deception.
It's a lesson easier learned by small to midsized businesses because you don't have to deal with the levels of bureaucracy, bad advice, BS and butt-covering that gets bigbiz into bad PR straits.
In other words, when it comes to notification of security problems, don't do as they do -- and don't do as they (don't) say, either.