The attacks continued to hit organizations in Saudi Arabia earlier this week.
The country's national power company hasn't said whether it was able to link the attack to any specific group or nation state.
The hacker provided the records to LeakedSource after ESEA refused to pay the ransom.
The law went into effect on January 1, 2017.
Customers who shopped at the company's website between July 30 and October 12 of 2016 may be affected.
The hackers are alleged to have made over $4 million in illegal profits from the trades.
The hacker claimed to be accessing the system via an unpatched SQL injection vulnerability.
The company said the attack involved 'organized, highly professional hacker activities.'
In 18.3 million cases, the exposed data includes hashed passwords.
The routers were 'affected by an attack from outside,' the company said.
The data potentially accessed ranges from students' names and Social Security numbers to credit card numbers and expiration dates.
The proof-of-concept worm could jump from one smart bulb to another via ZigBee wireless connectivity.
In 20,000 cases, the bank says, the breaches resulted in 'money being withdrawn fraudulently.'