There are penalties for data breaches. I think Talk Talk was fined ~£400,000 for their THIRD breach. I don't really know how all that works though. Talk Talk was a high priority case.
Their site isn't https - I don't think security is high on their list of priorities.
Companies that loose people's data should be fined. (I think they are no?)
I know Phd are a small company but that's no excuse.