Why companies aren't fined for every customers data they didn't secure properly is beyond me. This should cost them a specific sum per customer or part of their annual global revenue. Make it hurt.
Otherwise they have no reason to spend money to properly secure people's data.
Devils advocate: It would give them additional insensitive to cover up the fact it happend.
My 2 cents: companies cant be trusted with your data and local data containers which you control, can give or reject limited acces to need to become the norm.