Then, to be clear, is your position that companies should be punished (fined) if there has ever been the possibility that user data was compromised? It's possible that a time-traveling quantum-powered encryption-breaking mind-reader from the future has seen your personal data. Should we fine everybody who knows anything about you?
Reckless endangerment deals with the possibility of something bad happening, but notice that word "reckless."
I didn't say GDPR would apply in this situation, and the WSJ story suggests it wouldn't because of when it was discovered. All I said was that GDPR was great (obviously we'd only see the benefits from it after it had gone into effect), and this latest scoop bodes well for the political movement to enact equivalent legislation in the US.
Reckless endangerment deals with the possibility of something bad happening, but notice that word "reckless."