Design Strategy: What if the data becomes public?
Putting aside the issues that made this data accessible to the two researchers, to me, the most unforgivable thing is storing people's passwords and biometric data as non-hashed.
So often now, products come to market as experimental internal proof of concepts that are then productionised and rushed to market. If you are transporting and storing such sensitive data you should start your design with the question: what if the data leaks - how can I minimise the risk? The evidence appears to be growing that this is rarely done.
Further, before go live any such system should be fully audited for security.