Comment by varispeed

They didn’t suffer a breach; they published a market-moving PDF early because they put it on a public WordPress server at a predictable URL with no access control, then acted shocked when someone typed it into a browser. The report dresses this up in solemn language about “pre-publication facilities” and “configuration errors”, but the reality is negligent basics: no authentication, no server-level blocking, blind faith in a plugin they didn’t understand, and not one person running the obvious test of guessing the URL before go-live. Their claim of “independence” just meant running the most sensitive part of their job on an underpowered, misconfigured website while assuming everything else would magically hold together. This wasn’t a cyber incident. It was institutional incompetence wearing a suit.