It's not 'toxic waste' if you can't be paid without it.
Reading between the lines a bit, I wonder if it was anyone/everyone with a company credit card who had their personnel jackets "misappropriated"?
The employer needs all that info for payroll, pension, medical insurance, reduced-cost loan schemes (bike or car purchase schemes, forex), and all the other interactions between employer and employed. Here in the UK, driving licence or passport info can be used to prove someone has the right to work here so that can count as necessary data. While it would be nice to imagine every employer could have their Personnel information on a system completely isolated from the Internet and only move across the really necessary data when it's really needed, reality is never that accommodating.