I don't remember the specifics well, but under GDPR they'd be required to give breach notification to customers, maybe write a report and get audited and possibly get fined depending on the situation. Customers could demand compensation (probably doesn't make sense here).