Based on the report this happened when Facebook allowed you to lookup friends via a mobile number.
With that in mind GDPR became law in the UK May 25, 2018. However this feature was removed in April 2018 (https://www.techradar.com/news/facebook-no-longer-lets-you-search-for-friends-by-phone-numbers) this means any fines or punishments will be pre-GDPR sadly.
I don’t believe GDPR made any retroactive claims around notifications of breaches. It sounds like the Facebook team were able to validate the data set very quickly and pin it back to when it happened.