Few years ago a huge NRA database was left public with admin/1234 or similar by the Bulgarian NRA. They government fined itself some non-trivial amount, then in the source/destination IBAN they put the same value and paid the fine. They managed to find someone to blame and it was not the person who left the database but the person who found it. Turns out that if you leave the PII of a whole country open to the public it is not your fault and you get to keep your cozy job. It is already unlawful to access that, so if someone access it - it is his fault - he broke the law.

Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.

As the attack actor now has the data, they're liable for ongoing GDPR failures, on top of the theft. Then anyone they sell the data to becomes liable (on top of handling stolen goods). Could be a money-earner for the EU if they pursue it properly.