I don't think the value of personal data to anyone -- either the authorised user or the unauthorised party or parties who got hold of it -- is particularly relevant here. Making good the damage caused by any leak of the data is the priority, IMHO. That damage could be less than the value to the authorised user, or it could be many times greater, depending on the nature of the data that was compromised and what is, or could in future be, done with it.

Of course some damage can't be reversed by any amount of monetary compensation. Then maybe you get into questions about how much is an appropriate financial penalty to make up for doing damage to someone's quality of life in some way. But even to the extent that it's "only money", there is still a difficulty here in that you have to somehow quantify the potential harm of any given incident.

For one thing, there might have been multiple relevant incidents. Some of them might not be known. It won't necessarily be realistic to determine which incident(s) actually led to the harm. However, the harm was caused all the same, and at least one relevant incident contributed to that.

For another thing, harm could be caused in the future, possibly far into the future. The subject of the compromised data may have to live with that prospect, perhaps forever, and do what they can to protect themselves against the possibility.

So the difficult situation is that we have an uncertain amount of harm being caused if data is compromised, attributable to uncertain specific incident(s). However, we do know that in some cases the damage could be great, and we do know of at least one incident and one responsible data controller (assuming it's reasonable to hold the controller responsible under the circumstances, which was my point about negligence being an important condition). So you have to try to build a fair and reasonable system for penalising the responsible party or parties and compensating the victim, with much uncertainty about the actual situation.