That's not actually an explanation relevant to his question.
SSNs are unique to the US. Canada has SINs and the UK has NI numbers, for example. There are only 340M people in the US and so even taking into account 30 years of data, 2.9B is almost nine times the entire population of the US.
If the article had said 2.9 billion distinct records, that would be possible, with multiple records per person (although, again nine records per person?).
Alternatively, this is world data, but then why mention SSNs repeatedly when that's not relevant for most of the records (ie: 2.5B of the 2.9B, more or less?)
Moreso, if the data includes past addresses for people going back 30 years, while this has its own issues, that data is less dangerous.
In any case, other countries DO have laws against this sort of thing. That's what the GPDR and the EU data privacy laws are about. If this company has scraped data for Europeans, then they're going to get railed by the EU. The main problem is the US which is so protective of businesses' rights over citizens' rights that they'll never bring in that strict a set of laws to protect the public from this kind of infringement of privacy.