I got access to tons of sensitive citizen data after buying cheap domains

The first responsibility here lies with the owners of these domains letting them expire, of course. But this is such a simple and effective way gather data for phishing, identity theft and fraud that it will hopefully somehow be handled better.

The best I can come up with is that domains used like this should really have TLD level protection from resale. With email so often being the key to a whole account, letting the access to that be put at risk by an IT admin letting a domain expire or an organisation simply forgetting about an old domain is kind of insane.