> Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period
It's easy to blame legal here, but actually this is an issue with the corporate structure/their Incident Response