[networkguy]

They aren't a full stack security team though and it's not fair to be putting any fault on Conosco; they are enterprise IT consulting and support and that's clear enough from a look on their website.

To be basic, a firewall does stateful inspection of inbound and outbound TCP/IP packets and an IPS guards against vulnerabilities with signatures; neither of which understand the applications logic --- there is nothing in off the shelf hardware/software that will prevent a shitty app from giving up the keys to the kingdom.

The firewall might block inbound connections to port 22 and the IPS might detect a SQL injection attack and stop it, but if you have an API that just gives up data you're screwed and that's precisely what happened. A legitimate request for information was made on legitimate ports, using legitimate protocols and as far as the hardware defense is concerned, everything is as expected -- the problem is the application.