Prompt Action?
The breach happened on or around December 23, 2022... didn't discover the unauthorized activity until January 10... "We took prompt action to contain the incident and secure our systems"... "...the last known date of unauthorized IT system access was January 19"
So, their "prompt action" was to allow the miscreants systems access for a further 9 days? Maybe I'm being a bit harsh here and maybe they were, with the potential help of law enforcement, trying to track down the baddies with a view to potential criminal charges - or perhaps gleaning intel - but doesn't 9 days unauthorised known activity seem a bit excessive?