I am very disappointed in you.
You get hacked, have 77 million credit and debit card numbers stolen but wait one week before telling your customers. And now you face a class action lawsuit, a senator demanding answers, and possibly lots of "angry mums". (Watch out for those angry mums! Like Bob! Or is he a daisy?)
And, given your track record on security (i.e., installing rootkits on customer's machines), you're not really in a good place right now.
The right thing to have done would have been come clean initially. Be honest with your customers from the start - "We stored information we shouldn't have, we didn't encrypt your data, and it's all been stolen. Call your bank and change your debit and credit card numbers."
Other companies, please take note. Only store the data you need to. Tighten your existing controls. Do not think yourself invulnerable, or something's gonna getcha, little Walter.