Basic Security 101 - Failed
The problem is that companies don't even follow basic security practices for handling this kind of data. The cloudy bitbucket is bad enough, but even then, had the data been properly encrypted, hashed, salted, with important columns separated into separate databases on unique servers / buckets, then the damage of exposure (whether hack or just bad configuration open to world + dog) would be minimal.
How many more decades do we have to go before companies are held significantly liable just for the fact of not storing the data according to basic security practices defined ages ago?
I'm not even asking for anything interesting or advanced. Just Basic Security 101 would be a massive improvement over "one server, one database, unencrypted, unprotected, open to world".