Re: And it won't be the last time.
The problem isn't so much the HR bar, it's the fact that this sort of screw-up is considered so unimportant that the people who do it get a "oops, please don't do it again" as their only punishment.
At the very least it should be called out in their anual review, with an "unsatisfactory" rating & the consequential salary/bonus/promotion hit that would go with it. They should also be sent on compulsory IT security training (and they should all have had some basic training anyway).
Companies need to be made to realise that this is just as important as H&S training, and that such carelessness can have equally serious effects on other people's lives.