What data was being protected? The data was created when the user chose to engage with the facebook apps. CA pays facebook to put something in front of users faces and then CA gets back information on user engagement. How is that different than any other kind of advertising on the web?
We can argue that there needs to be more transparency on facebook but a breach? That's torturing the word.
Personally-identifiable information . Many states require notification in the event this data is found to have been accessed improperly. The definition of a "breach" is not limited to technical malfunctions.
We might say that you can't sign away the secrecy of your PII, so user consent is irrelevant. Then we had better get on YCombinator, Stack Overflow, Medium, etc. for allowing prominent community members to use their real names on their posts. Someone could  use them train statistical models to who-knows-what purpose, after all.
Whether you believe them is another matter.
> This is similar to a HIPAA "breach" where the word doesn't imply that a security system was compromised, but that protected data was accessed by folks who shouldn't have had it.
Protected data, in the context of HIPAA, would refer to Personal Health Information (PHI)