>>A punitive lawsuit isn't going to improve anything in terms of making sure they don't do it again.

What's stopping us to say the exact thing in defense of any xyz alleged offender?

How do you know? (Note that the point of a punitive lawsuit is not only to encourage the culprit not to do it again, but also to encourage other potential culprits not to do it again.)

I guess the answer is "because it was just a mistake", but (1) not informing their customers promptly when they found they'd made a disastrous security screwup wasn't just a mistake, and (2) since they themselves say they're improving their procedures in response to the incident, it seems clear that there are things they could have done that would have either avoided the just-a-mistake or mitigated its consequences.

Lawsuit is also a good tool so scare others from just trying to do something useful—just in case someone sues on the first mistake.

They won't lost customers if they don't tell them about the problems. The bad press is this, right here.