Probably so and also an indication of a probably lack of defense in depth and failure of access control. It will be another example to add to my Litany of Data Breaches the next time I speak with developers about appsec. You can see my last talk at https://www.youtube.com/watch?v=dj196NhPyWs&t=19m50s. So much failure to go around in application design and implementation.
I would actively insist not storing PII in plain text unless there was absolutely no way around it. And it may involve changing the business model to enforce that certain data is not needed to be actively processed by the web application in the ordinary course of business. This is part of the security pushback phase that is essential that more developers adopt as a matter of professional ethics.