Any idea why now and then we hear, oh Target lost millions of customer data, oh Facebook, oh this giant insurance co.... I mean these are not Pop&Mom stores, and we knew from, at least a decade, China/DPRK/Russia are stealing our stuff... why does it still happen? Don't we have the expertise? or People signing the checks prefer to hire people the know/family than real professionals? (my guess).
The word "experience" is the key factor.
Much like a flashlight app for your phone
needing access to your contacts list.
WHY? Those two functions should never meet.
Clueless devs, clueless managers, on up the chain. Or worse, doing this on purpose, knowing the masses won't notice.
Or, otherwise competent devs, but supremely arrogant.
Taking a laptop home with a copy of a large part of the user database. Unencrypted.
And leaves it on the bus.
Of course, he's not supposed to have a full copy, and if he needs that much data it needs to be encrypted and anonymized. But he knows better.