I think there's one other element here, and it's a feeling that disclosing the name could do so much harm to a company. Really, with a law, they're still seeking guidance, and the Privacy Commissioner is giving guidance as to what it means. Most companies, as you know, try very hard to follow what the Privacy Commissioner says. Disclosing publicly could be hugely economically damaging. The commissioner usually gives people a chance to correct what they are doing before taking that step. There's a balance between the relative harm and how serious the breach was.
On December 4th, 2006. See this statement in context.