If you wanna do some journalism, have a look at TPOnline (Teacher's Pensions Online, also the guardian of the "List 99" barred checks for staff).
Everything from emailing out the private keys of client certificates in an unencrypted email (you just have to ask nicely and say it didn't work when you tried to download it), to charging £80+ for a new certificate even on renewal / replacement, to having some of the most atrocious TLS security known to man for years (they improved this year, they almost get a C on SSL Labs now!), etc. despite handling all kinds of sensitive data.
Oh, and pretty much only works in IE, and you have to put everything into trusted zones etc. to make it work even then.