None of the data that was available sounds like sensitive PII so I'm not sure why anyone would be surprised by this. I would probably think that rider/driver feedback isn't PII at all.
I suppose it might be a bit questionable if Lyft was creating and providing tools to make it easy to look this stuff up and promoting it within the company but that doesn't sound like the case either.
Not all PII is inherently "sensitive" though. Meaning not everything that can be used to actually identify you needs to be encrypted and protected. I don't know for sure but I don't think names or addresses qualify as that.
I absolutely would say it would, especially where there's a very good chance that the home and work addresses are part of that list, and the idea that someone would use a database like that to spy on an ex and harass and/or assault them is an actual thing that happens.
“This was said to be used to look up ex-lovers, check where their significant others were riding and to stalk people they found attractive who shared a Lyft Line with them... One staffer apparently bragged about obtaining Facebook CEO Mark Zuckerberg’s phone number.”
I suppose it might be a bit questionable if Lyft was creating and providing tools to make it easy to look this stuff up and promoting it within the company but that doesn't sound like the case either.