I have had some conversations with suppliers recently who thought they were making good noises about security and transparency but in fact were bowel-looseningly amateurish. Most scary was that they really believed they were on the ball. The day before I'd found they had a product management platform with a web interface with an unsecured login for customers. I only found it because they'd let the certificate on the https page expire shutting everyone out.
Not to worry though it was only a system to monitor vulnerable adults in their own home, FFS. Procured without oversight now being rolled back in an abject panic.
You'd think this is a small garden shed concern but it isn't, it's a multibillion dollar international company. Not CRAPITA for once.