Assuming malice is rather presumptive. There's a big difference between negligence and malice. I'm certainly not defending the actions of this company (I have no idea who they are,) but I certainly wouldn't want someone's potential ignorance to be used to assert that they acted with an intent to harm. Malice requires intent. Acting stupidly isn't malicious.
Ignorance of the law will not protect you from it, neither will ignorance of security precautions prevent you from being hacked. People will always make mistakes, but you don't raise the bar by merely tolerating the status quo.
I think more people need to understand that security is important, implementing the security precautions that you're aware of isn't enough anymore. You need to be active in the community to make sure you're up to speed on recent developments, and that you're following Best Practices where possible. Anything less is insufficient.
It's us the customers who are hurt the most when company databases get hacked. Companies should start showing some respect for that fact by taking security seriously.
