The problem is that the site didn't collect the data because they wanted to, they did it because the law requires it. GDPR (and presumably equivalent privacy regulations) explicitly has an exemption for data you are legally required to keep.
Regarding fines, they wouldn't undo the damage of the leak either. I don't think this kind of leak can be mitigated with any amount of money, short of giving all the people involved a new identity and forcing them to start a new life somewhere else (and even then, they can still be recognised by their physical appearance).
I don't follow the distinction you're making about GDPR. I don't think anyone is saying they shouldn't have this information, just that they should make at least some minor modicum of effort to secure it.
GDPR doesn't say you don't need to properly secure data even if you're legally required to collect it.
GDPR solves this problem as much as any legislation can.
Regarding fines, they wouldn't undo the damage of the leak either. I don't think this kind of leak can be mitigated with any amount of money, short of giving all the people involved a new identity and forcing them to start a new life somewhere else (and even then, they can still be recognised by their physical appearance).