Even setting aside the years they had to become compliant, it still wasn't a good idea to store passwords in plain text before GDPR.

Regardless of the law, it's completely irresponsible to store passwords in plaintext, and it's been widely considered so for decades - the company's behavior here is inexcusable, and I really can't understand why anyone would try to defend it.

> law significantly changed right under their noses.

You mean two years to comply before it went into effect. + over 10 years of similar local laws.

"right under their noses" my ass

Even if it had changed right under their noses, that would still be OK in my book. The Lawmakers are elected by the people (somewhat -- the EU could be more democratic, but that's a different topic), and they should therefore be able to change the laws on the behalf of the people.

Ah, the old a-planet-full-of-media-attention variety of right under their noses.

That would have been a reasonable argument if they were found to have been using something like DES-based crypt(3) to hash their passwords. But they didn't, they were just plain text.