Breach or not - Retailers and regulators again

To investigate effectively and not cause panic without having full/most of the background, security breaches are not made known for a little while until an organization (or investigators) has formalize a communication strategy.  Hence, Amazon’s recent email blast regarding resetting passwords could be a prelude to sometime - or maybe nothing at all.  Based on the limited details thus far, it does not appear to be a phishing attempt since no link is present in the email, yet a mention of passwords might have been posted online thereby, suggest of changing.
In an unrelated matter, the CFPB (Consumer Financial Protection Bureau) issued its first Consent Order against an online payment platform – questioning reasonable and appropriate data security practices not in place i.e. not meeting at least industry security standards.  Citing mishap in employee data security training, lack of encryption, no periodic internal risk assessment and missing policies, procedures, etc.
Hence, CFPB issued order without prior report of a breach and is proactively representing consumers (which is adding to the growing awareness) and actions taken by authorities such as SEC and FTC (Securities and Exchange Commission and Federal Trade Commission).  CFPB included the following recommendation:

• Annual/bi-annual security risk assessment
• 3-rd party to perform audit
• Maintaining reasonable procedures
• Encrypting data
• Regular employee training
• Appropriate customer identity authentication
• Update security patches for web and mobile applications