[ckozlowski]

Without proper separation of duties to limit blast radius, it's just as damaging as a software vulnerability. It sounds like that's the real issue here: Compromise of a support engineer lead to far more access than should have been permissible.

[Eyas]

Right, but their claim is that there were proper separations that successfully did limit the blast radius.

[Ozzie_osman]

Or at the very least, audit logs so they can see what that support engineer's account did during the period that the account was compromised.