The state of Utah lost the personal information of at least 500,000 people because:
Attackers were able to compromise the server because an authorization component was not configured properly.
The state’s Department of Technology Services “has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.” The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.
Hopefully they’ll add some auditors, too. It’s a shame to have your system set up so you only find out about misconfigurations after outsiders do.