Poor Administration
I run an on-line shop using one of the more popular open source e-commerce packages (I'll not say which one for reasons that will hopefully become clear).
Like many open source projects, it has it's support forums etc, and I read and post on these occasionally when I get bored.
Now when I started up, I spent a considerable amount of time and effort securing my website and the server it runs on, and I still address issues that come up from time to time. I'm no security expert (no such thing!), but I'd like to think I learned a good deal about the subject over the years of working on my little shop. The one thing that constantly amazes me from reading the forum for the e-commerce software that I use is the brazen disregard for security in general and in particular the cavalier attitude sys-admins (I use the term loosely) have for the security of the personal data that they are entrusted with by their customers. Basically, given a choice between "It works, and is nailed down, but it's not as pretty as I would like" and "It works and is cool and flash, but my customers' personal data is laid out for the whole world to see. Oh well, never mind, eh?", it is staggering how many of these shop owners go for the second option.
And one of the main "reasons" given for this is "it's too difficult to do", to which I have to ask, "what the f*** are you doing messing about with this stuff if you can't do it?".
I delayed opening my shop for some time (at obvious financial cost) until I was as confident as I could be that it was secure and that my customers' data was safe. Sadly, it seems that most are happy to open-up shop over the weekend with total disregard for such issues; as long as it looks cool then that's fine.
I am not in the least bit surprised that many websites get hacked and the data stolen.