In this situation, the organisation was not merely unlucky. The data was not stored securely at all and this was made worse by the fact that they had not carried out a proper assessment of the data storage techniques. The DPA is very strict and rightly so - it is our personal information which is at risk here.
All too often there are stories of charitable organisations cutting corners and thinking they can get away with it. This fine is a message that organisations, regardless of purpose, will be treated equally in the eyes of the law.
What I find incredibly offensive is that the charity's CEO didn't even apologise to the 10,000 innocent victims whose data was lost as a result of his organisation's failings. Instead he is trying to shift the attention onto the ICO and try to portray themselves as victims.