[bodz]

None of the managers had anything to do with or were in the chain of command of the security team, so it's entirely possible they had absolutely no idea about the breach until long after 8/2.

The CFO is the one that is a little iffy, because the CFO might be involved in the hiring of the external firm. However, having worked for security consulting firms, it's also entirely possible that the CISO is given a blank check for this type of stuff without having to get CFO approval. I've worked in plenty of organizations doing cybersecurity work where the C-suite (including CIO, CFO, etc) was completely unaware we are there because they don't have to rubber stamp every single transaction.

It's also a possibility that the 8/2 date on which they "contacted" the firm was just when discussions started between the two parties, and it might have been a few days before a contract was ironed out enough to involve the CFO or anyone else.

There's a bunch of other possibilities/scenarios in which I think it's entirely believable that they didn't know. It's shady and worthy of investigation, yes, but I'm not willing to convict them just yet.