Certainly, it was a failure of that company, but I think you could say that the fact the company was allowed to operate the way it did, with such shoddy security practices, was potentially a failure of legislation or a failure of enforcement, in the sense that there were basic security mistakes being made that weren't necessarily being monitored or followed up on.
On February 23rd, 2017. See this statement in context.