There is an enigma here, far beyond the rank foolishness of keeping vast quantities of such sensitive data in an unencrypted format (see the linked article), there is a deeper problem. The more valuable any data is, the more incentive there is for it to be accessed illegitimately and it is a matter of recursive significance that secure biometrics are themselves the subject of this particular breach. As a matter of logical necessity and technical inevitability, security is only ever contingent and must always be remediated, reformed, amended and upgraded.
Observe a psychological (as much as an administrative, hierarchical) investment in an aspiration to completeness and closure of projects, products and systems which more closely resembles a fantasy of control than it does any approximation to the actual and intransigent complexity and implicit openness and systemic extensibility of material, technical, mathematical and logical reality.
Rethinking security and data protection is a matter of holistic, systemic reform which will likely prove anathema to the business models and conventions of governance within which it is currently addressed. This issue is symptomatic of a much larger organisational problem but it is in security that this pain of intractable systemic entropy is most acutely experienced.