They should have not collected any more data than they needed, deleted the data they had the instant it wasn't absolutely required, and securely stored all data they truly had to retain. It really isn't that hard to do those things, it's just harder (and more expensive) than not giving a shit, but universities (and just about everyone else hoovering up your private data) just don't give a shit about you and they know they'll get away with it when their negligence/incompetence results in a breach.
The fact that in this instance the breach may have also impacted some of the same people who decided to be so massively irresponsible doesn't change anything.
They should have not collected any more data than they needed, deleted the data they had the instant it wasn't absolutely required, and securely stored all data they truly had to retain. It really isn't that hard to do those things, it's just harder (and more expensive) than not giving a shit, but universities (and just about everyone else hoovering up your private data) just don't give a shit about you and they know they'll get away with it when their negligence/incompetence results in a breach.
The fact that in this instance the breach may have also impacted some of the same people who decided to be so massively irresponsible doesn't change anything.