Unfortunately we learnt the hard way with data breaches – but sounds like you have done everything in a transparent and upfront way which is what the ICO is concerned about. The only thing that I would add is that, as data controllers, we should keep a log of databreaches, actions, outcomes and learning as we go – should we ever get investigated, the ICO would look for this as part of our governance procedures – they want to know that we know data breaches have happened and that we have proactively worked to ensure they don’t happen a second time.
Some things do need to be reported to ICO but I agree, if I was doing the risk assessment in my company I wouldn’t think this would reach threashold.
Hope this helps! It’s horrible when it happens, but these are all just learning opportunities!!!