Hi Christian,
I am also not directly involved in this, but I think legal action (not necessarily suing someone, but for example filing GDPR violations or possibly criminal charges with the police) are very much appropriate. I am not sure what laws are concerned here in detail but I think such a massive violation of privacy and attacking & manipulating our infrastructure is not just a mess to be cleaned up, it requires the proper legal response as well.
The nice thing is that this is not a decision anyone needs to make for the community. For example, anyone who wants to can file a GDPR violation with their local data protection officer. Those who don't want to do that, don't need to.
Happy hacking! Florian