Re: CREST- who the hell are they
They’re a not-for-profit organisation (which is another way of saying the shit ton of money we get for doing very little goes to the C Suite pay bucket) that is meant to provide a degree of certainty that the penetration tester you’re paying for isn’t shit.
Sodexo are clearly blame shifting here - “pen tester said it was fine”.
Ofc Sodexo went with the cheapest option, which doesn’t mean the lowest day rate, it means the lowest number of days. Give a pen tester a couple of days and they’ll find the easy stuff, but that kind of time boxing leaves them very little chance of finding the truly interesting stuff.
Then you’ve got scoping issues - PCI compliance testing is all about getting as little stuff tested as possible (because it’s faster, and time is money). A pen tester won’t touch an out of scope box, else it’s career over. If Sodexo didn’t provide sufficient info to allow the engagement to be appropriately scoped then a vulnerable box might not get tested (chances are the pen tester didn’t know it existed).
Attackers on the other hand don’t give a damn about scope. They’ll go poking until they find something, then move laterally looking for exciting new toys to break.
I’d wager the initial breach was via an unscoped box. I’m not certain, but it’s not uncommon.