What I find strange is the fact they have agreed not only to pay but also to make the fact public. As a web hosting company you would expect them to have regular backups, this is not something they couldn’t recover from without paying.
The backups may have been encrypted if they didn’t have separation. Or maybe no backups! I bet they do secure backups now!