Well, it wouldn't do a lot of good otherwise, since I'm pretty sure most data breaches aren't committed deliberately. The point is you should have measures in place that prevent those sorts of mistakes.
Not mistakes as such, but it'll probably invite an audit wherein they'll assess what strategies they took to mitigate a potential issue like this. If they're found to be inadequate and it also impacted a resident of the EU then maybe they'll slap them with a fine.
no, but "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55"
Well, at least they will have to make sure they performed due diligence with testing- because a test would reveal this pretty quickly. You know real testing, not using customers as Guinea pigs
If you do it by accident, you pay a fine. If you do it knowingly someone should go to jail. It's time to hold those tech companies to a higher standard.