Why didn't they contact anyone back in January? According to Sheehan:

We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

Well, guess again, Sherlock. Richards was able to gain administrative access to the site, and she says the log files were missing. If anyone could become an administrator, how would they know who or wasn't authorized? Without a log file, how would they know how many times this data was downloaded?

Bottom line: It's now Christmas in March for identity thieves.

Canceling and replacing your credit cards is a hassle (I know, I just had to do this myself recently after I lost my wallet). Good luck canceling your street address, phone number, e-mail, passwords, and any other information contained in those databases.