So who gets sued first?
Clearly a GDPR issue, but every organisation that uses this bunch of incompetents needs to complete an urgent risk assessment and, if necessary, self-report to the ICO for fines all round for not conducting the necessary due diligence before buying their services.
No encryption and no hashing? It’s RockYou all over again - but with a new and exciting law and order twist.
Meanwhile please form an orderly queue to have your fingerprints and other biometrics replaced.
Any list of all their clients so we can know if our data might be affected. Oh and that we too can complain to the relevant regulator.