No more Mr Nice Guy
This sort of thing really needs to be subject to penalties on a scale that jeopardises the company's viability.
We've had DPAs for decades now and the need for compliance just doesn't seem to register with manglements or at least not to the extent that it compels them to supervise the underlings and make sure stuff is secured. We need to start putting some of the worst examples where they can no longer place data subjects at risk. Seeing a few of their contemporaries go down the tubes would encourage even the most obdurate of the others.