This does nothing to discourage keeping data around. A company does not care if they, while following best-effort GDPR practice, release data to a hacker that causes harm to a user. They can simply hide behind the GDPR legislation to say “we did nothing wrong, the law is broken, we were trying our best, we accept no liability”
Disclosing data to an individual because you make no attempts to verify their identity is in itself a GDPR violation. As far as the GDPR is concerned it doesn't matter whether you were hacked or whether your employees recklessly exposed information to individuals. The only difference is scale and scope.
