TBH the handling of the cluster outage was beyond catastrophic.
It still can be incompetence in place, but in the world of cybersecurity “temporary secrity issue” means that the issue was so bad, that they legally can’t even tell that no sensitive data was stolen, or they don’t even know what happened. Normally you get overly specific statements from which you can deduct what the issue was. In this case all worst cases are still on the table and an explanation should be available Day 1 and in the Email.
I guess we should have an eye on our credid card bookings until we know for sure.
edit: Around a day passed since the email. This is far to long. Ff something really serious would have happened it would be too late for counter measure on the user side.