Data Protection Authority (DPA) should investigate. In Germany, the company's DPO (Data Protection Officer) has personal, criminal liability. For these cases, I'd like to see them in front of criminal court, and see what happens. I wanna see someone having a criminal record for this, and then all the stupid excuses of large companies about "I didn't know" and "I thought lalalala" will stop rather quickly. It will turn out that, at the end of the day, it was just a resource issue. And when criminal liability is on the table, resources magically... appear.

It's time to be serious about this. Unacceptable.