It could have been far worse, it could have been intellectual property that would have destroyed competative advantage of a company. Data owners need to feel assured that Data Custodians at IT can provide adequate security to mitigate such risks. There is an element of negligence and certainly shows lack of due care. Technologies exist and we have implemented several of these that would have prevented classified information such as credit card data from leaving the enterprise in an unauthorized manner. There is regulatory compliance in place to protect credit card information with the PCI DSS however applying it to ensure compliance is another matter. Why did the IT department not look at a data leakage prevention solutions? Did the Data Custodians know the business impact of such an act? Will business be able to recover from brand damage and lack of confidence in a worst recession in years?