Photobox acquired Moonpig in 2011 [1]. In 2010, Photobox got called out for emailing passwords in plaintext[2], and were quick to take to twitter to say "It will never happen again."[3] At that point, it had only been happening for 4 years [4].
Coupled with the tone of the job advert already posted by others [5], it doesn't seem too hard to imagine a corporate culture where security is not a serious concern until things go wrong.
I was about to ask why anyone would bother sending plain text passwords and store them encrypted. I then remembered a high-school friend's first (and largely unsupervised) job where IIRC he devised a ridiculous password encryption (not hashing) scheme in PHP (on shared hosting).
Unrelated horror unfolded a couple of years later when for some peculiar reason he had to move the site to a godaddy VPS. An unencrypted customer database sitting at /db.sql, fully accessible to the world. Apache had been configured to show directory indexes and, to take the site offline, /index.php had been removed. I think at the time I even needed to explain the possible consequences. I just remember being told that the database was restoring and it wouldn't take too much longer!
I think any remaining part of me that implicitly trusted interesting websites with personal data died that day.