We know the gory details about TJX Cos. and its mind-boggling data breach. But a hard-hitting new report on the worst data offenders from Byte & Switch shows that in some cases these organizations still haven't cleaned up their security act. Following their own high-profile breaches, the goings-on at Los Alamos National Laboratory, the Department of Veterans Affairs, and Iron Mountain are shocking indeed.* Los Alamos National Lab Despite a change in management since a high-profile loss of top-secret information, the lab's security is still coming under the spotlight from government watchdogs. Last year, classified materials on memory sticks were confiscated during a drug raid on the home of a former lab contractor. That's classified, as in national security information.

* Department of Veterans Affairs Since the VA's damaging data breach, a government official testified to the U.S. Senate that "a weak overall control environment for IT equipment at the four locations we audited posed a significant vulnerability to the nation's veterans with regard to sensitive data maintained on this equipment. GAO auditors identified a total of 123 'missing IT equipment' items at the four locations, including 53 computers that could have stored sensitive information."

* Iron Mountain When in doubt, blame the customer. Iron Mountain, source of at least four major breaches, has maintained the stance that its tape transport and physical data protection businesses are risky and that customers, not Iron Mountain, should bear the brunt of responsibility for ensuring data is protected, mostly through encryption.