Data security at companies who should know better

Some reference hyperlinks are in German (sorry)

A German news & investigative TV show (ZDF Wiso) broke a story in which they stated that more than 56.000 very valuable login credentials were stolen and are now available for potential buyers on "Chinese servers".

The interesting part of this story is that these login credentials (email accounts and passwords) were stolen from the German job applicant site of PwC (Pricewaterhouse Coopers), a "big four" auditing and professional consulting services firm. Incidentally PwC also offers IT Security consulting as one of their key services...

The data of potential PwC job applicants may be very valuable in the wrong hands due to the expected economic and social profile of the users (highly educated and skilled professionals with good income level). Hopefully they did not use the same credentials for popular eBusiness sites like Amazon, Ebay or Paypal.

PwC stated in a press release that their job applicant site was actually outsourced and their own security with all employee and client data was never at a risk. PwC closed down the applicant site after they were informed by the TV journalist. In the meantime the ZDF Wiso editorial office send warning emails to all compromised users informing them of the issue. PwC themselves also informed these users of the happening, but only a full day after Wiso's initial email.

A PwC spokesman also stated that the passwords were stored in clear text because it was an older system and "any encryption would have been hacked anyway to get to the data".

But for me there are still a few questions:

• Why was the security concept of the outsourcer not audited by the experts at PwC before using this service? Especially an auditing company should know that checking facts is better than just believing some bold claims, may it be about financial data or security...
  

• Why was the login password stored in clear text instead of using an hash? A good hash can be used to verify an entered password but never provides the ability to reverse engineer the password. Which means if the hash gets stolen it's useless. But apparently the PwC spokesman is not a very technical guy and was not briefed correctly by their experts - otherwise he would not have made some bold claims about encryption hacking in this scenario...
  

Pricewaterhouse Coopers will most probably not make such a mistake again, but the interesting thing would be to know how secure other similar companies and organizations are? Or does this not matter anyway with all the data and not encrypted laptops lost or stolen left and right?