There is an important difference between having access to and accessing.
For example, COps reasonably have access to customer address information [so that they can do ID verification, change of address etc.] but if someone accessed that information without a valid reason to do so, then that would be a breach.
Obviously, these two situations aren’t entirely analogous – but the important correlation as far as it being a breach under law (your allegation above) is the actual accessing of data.
The message from Monzo staff members has been that Monzo is not taking responsibility for all future PIN-present fraudulent transactions and that they would have to investigate as they do in all cases of alleged fraud. By changing your PIN, you are removing all risk from this incident – Monzo are leaving this choice to individuals affected (of which I am one, I received the email and know that I used one of the two affected features).
You are making really serious allegations in this thread, including ones which, if based in fact, could see severe penalties imposed on Monzo.