That kind of unbounded massive privacy violation would result in million € fines (if not dozen or hundreds of millions) under GDPR law. And it was already not possible at scale in major European countries before GDPR. What permit it to happen in the USA at scale, is that the baseline of protections is so low compared to Europe. Depending on the state it is getting better, but there is still this culture about making massive files on everybody about everything and then selling them to anybody who ask and pay. Such databases are often forbidden in Europe to begin with because we think of what could happen if they are misused.
The notion that the fault would completely be on a "Belarusian teenager stealing your identity" and no responsibility whatsoever on people organising a system of massive private data collection in the first place, and then not even able to keep such data secure, is ludicrous. And even when you know that privacy invasion is attempted all the time you don't reach the conclusion that at the very least better securing the data would be needed, that task I'm not sure can be done by any "Belarusian teenager" - and that task has de-facto not be done by whoever is collecting and maintaining the private data that has leaked and is still leaking.
The notion that the fault would completely be on a "Belarusian teenager stealing your identity" and no responsibility whatsoever on people organising a system of massive private data collection in the first place, and then not even able to keep such data secure, is ludicrous. And even when you know that privacy invasion is attempted all the time you don't reach the conclusion that at the very least better securing the data would be needed, that task I'm not sure can be done by any "Belarusian teenager" - and that task has de-facto not be done by whoever is collecting and maintaining the private data that has leaked and is still leaking.