If the website in question offers services to EU countries, then regardless of where it is based it is subject to the European General Data Protection Regulation (GDPR). Similar legislations apply from the US and other countries.
You seem to be referring to a vulnerability rather than to a confirmed data breach. According to the GDPR, websites affected by a vulnerability which exposes sensitive personal must quickly investigate whether the vulnerability resulted in a data breach. If the website has conclusive proof that the vulnerability was not exploited (e.g. from reliable logs) and if the vulnerability was remediated, then no notification is necessary. However if the vulnerability is likely to have been exploited and to result in a high risk for users, then the website must inform users proactively (e.g. via email). At any time you can inform your own national authority who must follow-up accordingly in case of violations.
The following are the relevant extracts from the GDPR:
‘personal data breach’ a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4)
It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. (Recital 87)
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay (Article 33)
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. (Article 34)
[...] every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. (Article 77)
Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: [...] handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period [...] (Article 57)