Sure, I appreciate that the NordVPN breach did not affect private data, but it is the underlying processes which make it concerning. As you say, the server management company did not reveal the breach to Nord. That is hugely concerning that Nord are unaware of breaches which are happening on their own servers. And after Nord were made aware of it, they did not alert users who could have been breached or MITM attacked for several months.

It is this lack of awareness of their own systems and lack of respect for their customers which makes me avoid them, as opposed to the breach itself.