I’m sure their privacy policy gave the standard promises about storing their private data in a secure way, which they did not do.

Their ToS can be found here. Section G of their Limitation of Liability tries to shield them from liability against data breaches. But if they were criminally negligent, the ToS won’t protect them. The Data Protection section basically just says “check our Privacy Policy for info on what we collect”, which is pretty standard fare for a ToS.

The Security section of their Privacy Policy is also extremely boilerplate. Here’s the entire thing:

Security of Your Personal Information
The security of your Personal Information is important to us. When you enter sensitive information (such as credit card number) on our Services, we encrypt that information using secure socket layer technology (SSL).Tea Dating Advice takes reasonable security measures to protect your Personal Information to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware, however, that despite our efforts, no security measures are impenetrable.If you use a password on the Services, you are responsible for keeping it confidential. Do not share it with any other person. If you believe your password has been misused, please notify us immediately.

This one particular sentence may end up burning them though:

Tea Dating Advice takes reasonable security measures to protect your Personal Information to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction.

I think most people (and the courts) would agree that putting a password on your database is a reasonable security measure that would be expected per this Privacy Policy. Especially since their next sentence goes on to elucidate that users should keep their passwords confidential.