If your house plumbing is leaking there is water going out where it shouldn’t be.

Yes. Correct. Personally Identifiable Information openly exposed on the internet is information going out where it shouldn’t be.

If your house is leaking, whether there’s someone out there with a cup doesn’t change whether your house is leaking or not. It only changes whether someone took your water ie. a breach

Data leak and data breach have specific definitions:

Data Leak vs Data Breach: What Is the Difference? While many use the terms “data leak” and “data breach” interchangeably, there is a difference between the two. A data leak often comes from within the organization either by accident or intent, while a data breach occurs when confidential or otherwise protected information is accessed, stolen, or used by outsiders without authorization. https://www.fortinet.com/resources/cyberglossary/data-leak

https://www.microsoft.com/en-us/security/business/security-101/what-is-a-data-leak

https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/what-is-a-data-breach

https://www.ibm.com/think/topics/data-leakage

https://www.trendmicro.com/en/what-is/data-breach/data-leak.html

This is a data leak. We don’t know yet if it’s a data breach. We might not know until active exploitation.

Given the lack of control on this data, and that it wasn’t fixed until the researchers told them about it, do you trust IDMerit to have the scrutiny on their logging to know if it was accessed externally? I don’t.