I find this level of incompetence hard to believe. Is it possible that the company knowingly and intentionally left the collected data and their customers list unprotected to secretly channel it somewhere else? It would at least give them the opportunity to state incompetence if they should ever be accused of selling their customers private data on the dark market.
I watched with fascination on Twitch the other day someone programming a point of sale system, the dev was an older guy who said he'd been programming from 85 and was coding in C# (which is similar to me). First thing that struck me was the file he was editing he had a connection string embedded in the code, with what looked like the real plaintext credentials for the database. I then watched with interest as each query he copy pasted the connection string and other code for querying and then tried to create new queries by appending strings together with variables. I tried to give him some constructive advice, but he said "I'm in a bit of a rush, I just want to get this working". I watched for another 30 minutes or so as he tried to get it working. It was trivial what he wanted to do, he annouced how he hated SQL and has spent years writing sql and huge massive queries. Yet his problem was easily solvable with SQL. Looking at the code, it seems to have been done over quite some time and was really really really bad and really insecure. But the "just need to get it done any way possible" attitude means it will get deployed like that.
