What does it say?

I think adding the comment that they “changed their mind” was unreasonable because they didn’t change their mind. They wanted an opportunity which they got but didn’t exercise. They didn’t say “don’t contact us for comment in the future.” Which would be “changing their mind”. Their comment was simply “no comment”. This seems completely reasonable to me.

That they weren't even prepared enough to say "We at Sisense take security very seriously. Highest priority. Industry standards. Etc. Etc."

That seems like a leap. I’m not sure what value can be gained from such an assumption.

Incompetence.

“No comment” doesn’t seem like an incompetent comment. Why do you assign more value to unsubstantive PR speak?

Because "no comment" is less of a plan than even mindless PR pablum, that a PR agency should have been able to churn out without thinking.

Unless Sisense (a) had no prepared PR plan for this scenario and/or (b) has no idea what actually happened, so are still terrified to legally expose themselves by putting any words to paper.

E.g. They still haven't put out a press release: https://www.sisense.com/newsroom/

Aside from, you know, their piece on how properly isolated multi-tenant is a secure architecture pattern: https://www.sisense.com/blog/benefits-of-next-generation-mul...

What if their prepared plan was “no comment“? I think you’re making an unreasonable number of assumptions.

Do you think "no comment" is a good plan, when you've just sent out an emergency email to all of your customers telling them to rotate any credentials they entrusted to you?

I think it could be a plan. And I don’t think more words to also say nothing is in any way better.