Backups are nice. Until threat actor deletes them or encrypts them. Backups are also nice until you realize they exfiltrated data too. They are one mitigation but definitely not a sure fire insurance against a data breach and legal implications thereof.
Backups should be on a different segregated network (ideally off-site) with strict access controls and encryption. The threat actor should not just be able to find them lying about (possible even directly attached) with no authentication or authorisation required to access them. If they are able to access them somehow then they shouldn’t be readable. What you describe is people with a poor backup policy, which yeah I guess describes most folk. But backups aren’t the issue here, poor backups are.
And they do not mitigate against the threat of the data being published online which seems to be the new(ish) threat these days with ransomeware.
Source: I’m a cybersecurity lawyer.