human error, it doesnt matter how good your policies and procedures are, or your training, end of the day the people who do the job often dont care and they can make mistakes (we all can) so things can go wrong. you can spend as much time and money as you like, it doesnt guarantee information security.
in my previous job i was the information security consultant, and in the research i did i found that the data protection act is broken very often and by most companies, but not on purpose, through human error. few of these breaches come to light unless its a big bank or a govt agency, but you can guarantee your data has been compromised many times in the past by other organisations.
end of the day perfect information security is impossible to achieve, you need to accept that these things happen, as long as efforts are been made to avoid problems and protect data then you cant blame people when mistakes happen, its inevitable, but how you deal with it does make a big difference to the outcome and in this case it seems to have been dealt with badly and too late.