A company in my country got fined recently for not protecting data of ~735k users (7% of the country's population) (leaked email, password, phone, full name ...) they failed to disclose properly to the regulator and the users. They got ~$60,000 fine. GDPR was part of the reasoning for the fine.

GDPR enforcement would come into effect only if there was a breach and it was not handled.

From what is in the story and from what we know, there has been no breach.

As 'tptacek has noted, it is very unusual to announce a security bug without a resultant breach.

What in the story indicates that there was no breach. The story says that they didn't keep a large enough set of activity logs to determine whether data was improperly accessed, not that there was no breach.

> Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said.

This is not what the article says, "Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time. "

'We don't know who was affected and what data may have been collected' is way different than what you're saying. It also opens up lots of questions, such as why a company with the resources of Google would not persist security critical logs indefinitely.