Moonpig, an online greetings card company suffered a security vulnerability. While the vulnerability was serious, far worse was the company’s deliberately misleading statement in response to the disclosure:
We are aware of claims re customer data and can confirm that all password and payment information is and has always been safe.
— Moonpig (@MoonpigUK) January 6, 2015
Indeed this tiny subset of information was “safe”. What was leaked was all other personal information held by Moonpig about every customer. Much worse than a password or a credit card that can be easily changed. That the company issues a statement like this indicates how little they care about their customers.
And obviously the fact that the company knew about the problem for 17 months and did nothing.