Any unlawful or accidental security event that compromises a user’s personal data constitutes a breach of the GDPR.
GDPR Article 4 defines a data breach as an incident that involves data being destroyed, lost, altered, or disclosed to a third party — for example, due to a hack, human error, or a technical problem.