PII data should be stored in encrypted form with tightly controlled keys.
Web servers should decrypt on an as needed basis by exchanging user cookies / token for decryption keys.
That prevents having “god” servers in the frontend serving path that are a malformed sql query away from exposing all data.
Sounds like an incorrectly scoped WHERE (or maybe even JOIN?) on a SQL query.
Plus inadequate (automatic) testing, that should have caught the problem before it was committed to the main development tree.
Perhaps a whole integer session key value store combined with some form of refresh or update leading to user/session mismatches.
This isn’t really a data breach, it’s a bug in the app. And it didn’t “allow people to access strangers details” it showed each person the wrong details after they logged in. Like you couldn’t then pick another person and view their details you were just logged into the wrong account. Still pretty dumb, but also pretty dumb reporting. But then it’s 7 news so …