Sack the CEO, CIO... and fine them all.
How can the privacy commissioner be happy that standard procedure following a breach in his jurisdiction, is to recommend affected customers visit a 3rd party that has made exactly the same mistake but on an even larger scale. And may well do the same in future.
Not to mention recommending that customers visit three other third parties, all of whom REQUIRE even more personal information than GoGet collected, just to 'identify' the victim.
Worse, D&B even insist on being sent actual copies of your government issued IDs; not just the ID numbers, before running a rudimentary check.
How can the solution be to extract even more valuable PII from the victim and store it inside more computer systems that will be (at some point) vulnerable to compromise (or probably are, right now)?
Until someone actually bites the buffoons that fail to secure their systems, it will only get worse. The police are no deterrent, especially when the majority of hackers reside in practically untouchable locations. And the commissioner has no teeth; the law has no practical effect; the gov never acts to protect anyone other than themselves. Until people actually insist on being able to sue in such situations, this will get worse.
And being able to sue is only the start... from a regulatory point of view, the protection of PII needs to be the priority, not its (ab)use. No major party will lift a finger because doing so upsets the spooks, the tax office and everyone else keen to record everything anyone does.