Well, I think if you become aware of a security vulnerability that exposes the data of large numbers of people then you should be fairly hasty in taking steps to make the relevant people aware. Criminals are not fazed by an Xmas holiday, generally.
The kid (and he is a kid, here) didn’t sell the data, didn’t publish it broadly or otherwise do nefarious things with it. He tried to bring it to their attention, then tried another tack after a few days of non-response. I might do the same (though i wouldn’t know an SQL injection from a flu shot in all honesty).
