Once they knew any something was leaked, no matter what, the responsible move is to inform everyone to give them a chance to lock down their shit. More time or knowledge of where the data is won't save anyone.
As for the "other attacker" excuse, how would that work? Just from knowing that data was leaked no new attacker can deduce the weakness used.
The PR damage to the company would be much greater due to people speculating a worst case scenario. Followed up by the fact people wouldn't care anymore when the investigation is finished.
Once they knew any something was leaked, no matter what, the responsible move is to inform everyone to give them a chance to lock down their shit. More time or knowledge of where the data is won't save anyone.
As for the "other attacker" excuse, how would that work? Just from knowing that data was leaked no new attacker can deduce the weakness used.