Unless and until we get regulation which makes holders of PII accountable for it's protection, with massive fines (e.g. GDPR style, X% of worldwide revenue) , companies are going to keep failing at cybersecurity and we're going to keep reading about these large breaches. Companies will only prioritize security when the cost of being breached far outweighs the cost of securing the data.