This is just unbelievable. Whereas i am not surprised with personal information, the credit card numbers do puzzle me.
In order to offer payments, the company needs to comply with PCI/DSS. It comes in different levels and a major line is the number of transactions and whether the credit card numbers themselves are stored:
- 100k is enough for them to, in normal circumstances, have an external audit and regular pentesting to their external interfaces
- storing credit cards is MAJOR. It draws the line between a really simple compliance programme and a really complicated one. I am simplifying but this is the main reason why receipts have all the asterisks with only a few digits of the credit showing. The rule is: process the payment and forget the credit card details.
How was it possible that a server with this information was just accessible without even a password?
Two explanations. One is they lied, at multiple locations, in their self-assessment and cheated when audited.
The other is far simpler: this is forgotten server that was used for, e.g., backups.
PCI security has been doing wonders for security for years now. However, it is very prescriptive and can more or less easily be cheated and made quite inconsistent, unlike ISO 27001, for example, that focus on the management of security.
Again, I praise PCI for what they have done but one should always keep in mind the programme is a trade-off between simplicity and adherence. If the programme was too complex, the vast majority of companies (small) would not dare accept payments. So it sort of follows a 80/20 rule similar to what the UK is doing with its 10-step programme: better to have "lots" of security, even if not comprehensive than requiring everything and the moon and nobody doing it.