[tijmendj]

As far as I know there is no legal basis for them to contact the banks, at least under GDPR. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is there to enforce GDPR and will not add additional requirements.

[thitcanh]

Right, my suggestion is that it should. Yahoo’s settlement included identity protection or something along those lines. Disclosure to the customer might not always be enough.

[zaarn]

Notifying banks will likely be required by their payment processor, not by the GDPR, those are two separate processes.