Sorry, I didn't actually mean that data breach wouldn't have happened, just that the impact would've been far smaller if they didn't hold onto that data for so long, with no apparent purpose or business necessity.
Apologies for my sloppy wording, but thanks your contributions, nonetheless.
I have had people attribute magical powers to the GDPR, and the earlier UK Data Protection Act.
Just last week, the instructor of a class I was in (Cybersecurity):
"A European website can't collect
any data on you. No personal info at all."
I countered with:
'Yes they can, if they have a need and they inform you of it"
Him:
"NO! They can't, at all."
'So if I buy something from a German website, how do they know where to ship it to, and how do they get my money?'
He then just quickly moved on to the next topic.
And here, there IS a requirement to retain records like that for X years.
The aftermath of the Enron scandal, financial companies are
required, by law, to retain records like that for some number of years.