This presumably also falls under the Data (Use and Access) Act 2025 which forbids this kind of citizen data being relayed to third parties without permission. The company don't have a leg to stand on here, which is why it is basing its public appeals now on the impact to its users (journalists). But no company has a right to flout data protection regulations or its agreed conditions of use without serious consequences. Since the data has already been passed on, the breach itself can't be fixed, so it is totally proportionate to order the service to be closed and its data deleted. Frankly, fuck companies with the arrogance to behave this way - cheating agreements and responsibilities in order to make more money, and then expecting indulgence because of the uniqueness of their service.