Only $22M?
"I'm blown away by the fact that they weren't using multi-factor authentication," Kellermann told The Register. "I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised. I think it's egregious negligence, frankly."
It's really no different from the 2017 Equifax breach. This resulted from (among other things) failure to maintain a service inventory so they couldn't find a vulnerable service they'd been warned about and provided with a patch for; failure to renew the digital certificate used for decrypting traffic on an activity monitor so they couldn't see the exfiltration taking place; retention on the network of a plain text file containing credentials allowing the perps access to other internal networks. By 2019 the breach had cost them $1.4 billion , and subsequent settlements added another $650 million, so $22 million is really small fry.
In both cases, as usual, the root causes are not technological -- they're inadequate management. Unfortunately, fulfilment of the really quite basic subclauses 5.1 'Leadership and commitment' and 5.2 'Policy' of ISO/IEC 27001 is interpreted by most organisations (at least in my experience) as a pure paper exercise. The Board gets the CIO to write a 'commitment statement' to satisfy the ISO auditors and then forgets about infosec entirely. Policies are written off the cuff by a designated staffer instead of their requirements being investigated and discussed, and from that point on infosec activities are conducted in multiple independent technological silos (anti-virus, firewall management, user access and authentication etc.), that don't intercommunicate, so no overall picture of the organisation's real security stance is available to anyone. Hence the prevalence of data breaches.