Just to add a bit of clarity; not all data breach/leaks have to be reported to the authority (AP). There can be valid reasons why a breach/leak hasn’t (and shouldn’t) been reported.
The organization has to make an assessment of the (potential) impact of the data breach on the protection of personal data and privacy of data subjects.
If a data breach is not likely to lead to a risk to the “rights and freedoms of data subjects” an organization does not have to report. Whether or not this is the case is up to the organization. But the assessment and decision has to be motivated and if requested (by the authority) explained).
Keep in mind that these assessments are generally not taken lightly by organizations as any decision can have significant legal consequences.
If an organization decides not to report it is still necessary to inform the impacted subjects and register the breach/leak in an internal register (which should be made available upon request to the authority + case-by-case motivations why there has been a report or not).
I am in no position to asses if a report to the authority should have been conducted in this specific case, but just wanted to add that a decision to not report a leak isn’t a sign of trying to “hide” a leak, malpractice or not acting lawfully
TLDR; by law an organization shouldn’t report everything just for the sake of “being on the safe side” but make case-by-case assessments.