As revealed in a series of posts by UpGuard, AggregateIQ - Cambridge Analytica's "digital" partner - weren't exactly 1337 HAX0R D00DZ; they left their source code repos full of config data and API keys behind an open signup.
And there was a whole bunch of pro-brexit campaign organisation details in there, including Wordpress user table SQL dumps and Stripe keys.
They also found a suite of marketing and targeting tools - I disagree with Upguard's classification that they were "highly sophisticated technical tools" but comments like those at the top of amount_spent_wtf.py will feel familiar to most developers:
## WTF - we have a different number in ad_accounts.amount_spent than the calculated number from ad_sinsights!!?!"
The catalogue of bad practice continues with Canadian political organisations - including the private key for an SSL certificate.
One or two of these incidents could occur in any organisation but the sheer number of them in this case indicates institutional incompetence.