I used to work in IT security, not in a big way, but it was part of my job to secure up to 35 desktop computers, a few hundred laptops and networked servers, some of which contained half a million recorded of UK customers. So not saying I’m an expert but, unlike our government’s IT security advisors, I know the basics.
They are measure that can be taken to make the data both secure & accessible to the right people in the right places. The very first step is to take the data off any network that has internet access. They give restricted access to the network the data is on or even arrange for systems that deliver requested data in encrypted form. Together with regular housekeeping to make sure when and where data is moved & deleting data no longer needed.
These breaches are at such a high level, I would suggest whoever caused the breach or failed to protect the data should be first investigated and at least sacked immediately and never allowed to work at that level again. I’ll end this article by saying the company I worked for, and left because they went back on a promise of promotion, they had a data breach some years after I had left but in the ten years I was there, including installing their first ever internet systems, email, antivirus, firewalls and NAT servers, the was never a problem.