Good point! What do you think we should do about this problem? Ban companies from holding onto data when they are deactivated? How would we enforce that?

The problem is even worse: if your friend shares their contact list and that is the data that gets leaked, what then? I think that brings to question the entire idea of a phone number belonging to one person. A friend can give consent to share your information. Maybe we are focusing on the wrong set of problems?

Maybe phone numbers / email addresses being leaked is a problem that cannot be solved and instead we should focus our efforts on spam filtering or being able to easily change those identifiers.

I think they should notify everyone affected. Provide them with what was leaked, when, how, and how its been patched. And also provide the user the ability to have all the data permanently deleted from their datastore if they desire.