Normally i wouldnt be surprised but seeing as its a "security company" well they SHOULD have known better. Just leaves me witha few question really :
1. Why were they using a CSV in the first place, surely a DB (mysql, sql2k5 etc.) would have been a better solution, the code to go from db table to csv is nominal.
2. Why wasnt the CSV located in a folder above the site root in the folder hierarchy?, e.g. inaccessable from http, only accessable via ftp and script...
3. If the code is being used by customers, then its production code to my mind. so why were the comments left in etc. code not obfusticated?
4. Why wasnt the CSV encrypted, i mean seriously what sort of IT Security company doesnt try to encrypt everything and anything that could contain data??