Sure it could. A junior programmer aware of the values but not the repercussions could easily overlook this without any malice or disregard for privacy.

Right, let's blame the intern game.

Didn't that server endpoint need an upkeep? Didn't they wonder why it's getting all the traffic? Maybe they were DDOSed or something?

Multiple people in that company knew exactly what they were doing.

> So, you do collect information just not the kind you would classify as 'personal information'. I wonder if my personal domain with my full name qualifies?

Considering they have operations in the EU, I would imagine that would fall under what the GDPR considers personal information (https://gdpr.eu/eu-gdpr-personal-data/), or risk being in breach of it.