Who says it was? Why would they willingly give out their customers' and customers' customers data to any anonymous person or a bot?
More likely a bad oversight
This is “the tire shop doesn't have a torque wrench” level shit. If it's an oversight, it's an oversight due to incompetency, not because a good team just happened to miss something in a crunch. Another possibility is that the issue was raised and management said to fix it later, and because software “engineering” isn't a real engineering field that holds its practitioners to any duty of care, those responsible (the engineers) just went along with it.
For 3 years? That would mean that no developer has ever raised these issues with management, to speak nothing of an actual pentest being conducted.
No, this is not some obscure security hole they forgot about. This is plain incompetence and/or deliberate design decisions.
I agree that full public disclosure like this is irresponsible, but exposing issues like this to the public is the only way for such companies to make a change or, preferably, lose business and shutdown.
Because they don't care, and their customers don't understand any of this shit?
It feels like the usual case of vendors buying service to better exploit the users, and themselves getting burned and/or exploited by that service too.
Yes! You as a user are not meant to knowingly access data that does not belong to you. Even something like changing the id from 1 to 2 is legally considered unauthorised access.
It would be different if for example the application was showing data for other customers through normal use of it, but even if there is no other barrier to access than changing an id that is considered bypassing access control and can result in jail time in most places. Now I'm not an expert in India's computer misuse laws but I am willing to wager they are not the most progressive when it comes to this kind of thing.
