One with an incompetent IT security team, for sure. Ster-Kinekor is a good example. They still store user details on their ticketing website in plain text with no hashing, and getting access to those details is probably not that difficult. This may have also been a hack as a result of a disgruntled employee leaving the company and causing some sabotage, or they may have had some fault creep into the image they deploy for their network, and audting didn't catch it in time. Not every example of a vulnerability is a case of incompetence, which is something I'm sure you'll agree with.
Oddly enough, S-K's IT team was fast enough to patch for heartbleed the week the attack was made known on the net, but they still don't hash passwords.
Here I'd have to disagree. There are several legal hurdles that prevent what you envision from happening, and because so many companies on the net use closed-source software, getting access to that for auditing purposes basically doesn't happen unless by fluke or if the company provides a very valuable service to a significant number of corporate customers. I can't reasonably expect, as a ZA citizen, to get Google's authenticator audited to make sure that it's secure and more random than not, but I have to rely on the word of third-party security companies that Google uses to make those claims for them after forensic audits.
Blaming CW wholesale and not letting the issue rest doesn't make sense to me, certainly not as a network engineer, because they owned up to the problem, took services offline as quickly as possible, and made moves to patch it and protect the accounts of users. I mean, that's a really good response to the issue. You don't even get a "Sorry guys, our bad" from Sony or Blizzard.
What's your response to the Linux Mint team being hacked and having malicious code slipstreamed into their ISO images? Or a seemingly innocent integer being deliberately put out of place in the Linux kernel network stack that actually opens up a vulnerability in SSL encryption that was only caught after Linus Torvalds saw it right before a planned beta merge? **** happens, even in open-source projects where the code is scrutinised every minute of every day. You can't be on top of security 110% of the time unless you're not an internet company and keep your network strictly off-limits except in special cases and have a "no portable media" policy.
At some point we have to accept that the nature of the beast means that someone, somewhere is going to screw up the process, and it's not always avoidable. I think Sony is unbelievably lax about security and should have been dragged over the coals before, but I still used their services after fixes were implemented to mitigate the effects of future attacks. Keeping grudges for extended periods of time is just exhausting.