I actually agree with you, this could be handled better by them. I'm personally a little confused by the details and timings though; where did you read about them profiting after they knew about the issue?
I'm working under the impression that they were aware of the specific "breach" some months ago, and only terminated their dealings with CA once the matter became public (so cutting off the revenue stream was done CA as a reaction to bad PR, not because of any moral rightness or a reaction to any policy or contract breach).
Oh, I was under the impression that business relation was with some university researcher and finished a while ago. The researcher didn't delete the data, and instead brought it to CA (Facebook didn't deal with CA directly). Facebook found out some time ago but did nothing more than tell them to delete it and trust they would, without really informing anyone or pushing further.
