Was coming around to make this point that in the cybersecurity world the word "breach" can have a very particular meaning with legal implications. As a cybersecurity professional, we are trained not to refer to anything as a breach while communicating findings of investigations or alerting organizations to activities that we see unless that has already been legally established.
There is plenty concerning about their response to this situation, and this phrasing can be confusing, but from my POV in the industry this choice of words is understandable.
And if by subsidizing other people's internet they have better access to higher quality connections then it will be a net benefit for your community, which will in turn improve your life while interacting with and in that community.
The infosec community at large is well aware of how unreliable just using md5 checksums to identify malware is. If anything it is the absolute first line of defense for identifying malware, in that it is easy to implement quickly and has a decent enough chance of filtering out low hanging fruit. The biggest use for the checksums between malware researchers is for identifying if they have the same strain of malware as someone else. Identification is mostly not based on checksums, but rather things like YARA rules where different identifying factors of malware are outlined to be compared against binaries. This isn't foolproof either, but there is a rather large ecosystem of malware researchers out there constantly taking samples and releasing rules. I follow a lot of these folks on Twitter and the majority of what they post are their findings on the bajillionth strain of whatever malware is in vogue at the moment. This sort of stuff is going to catch the majority of what will be coming at most people and anything that slips by the first lines of detection usually gets picked up somewhere along the way and passed on to researchers who do an exceptional job of reversing and identifying new malware or strains of old ones. But of course the reliability of that whole ecosystem depends on sensible organization security policy to start with.
In short, md5 sums and signatures are there to protect against the low hanging fruit, spray and pray type malware that's pretty common. If someone wants to target you with uniquely signatured malware they can. Identifying it isn't going to be what stops it, but proper opsec can.
There is plenty concerning about their response to this situation, and this phrasing can be confusing, but from my POV in the industry this choice of words is understandable.