It's 2017 and NO ONE practices basic security yet.
It's sad, but like every breach before it (and undoubtedly every breach after) by every major company and/or government agency, basic concepts of security that are industry-known were just plain ignored. Every single one has been and will be a "WTF?!" moment, and this one is no exception to that by any means.
Of course with limited-to-no accountability, is this really a surprise? Expect much more of the same in the future. As long as the government does so little, so will the children it herds. We have ridiculously complex building codes for planning/building a house to keep people safe, but we have next-to-nothing for critical life-impacting data storage.
What makes this one worse than all of the others is that it did not even involve "customers", as that would imply people signed up to something. No, this is a company that you can't even opt out of. They nom nom nom all your data to provide a questionable "service" and too bad to you.