The announcement is nice and all but hmm, wouldn't some people take advantage of this and send spam mail? I mean, IF just if they were able to access a duplicate copy of the email and send them towards the affected, they could potentially dupe them into clicking their scam site or something. That is, providing they don't really read the email carefully and notice that the emailw as a fake ledger email. Though chances are small, there's still a chance.
That's specifically what the leaked information would be used for. Given the sensitive information being leaked, attackers could potentially use the information to craft a more personalised phishing emails for the victims. Even if it isn't, the sensitive information could also be used in SE attacks against companies.
Fortunately, the data breach is not that severe, only impacting their merchant information. At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.