Why so many pages of "Recommendation: implement multi-factor authentication" and other IT security irrelevancies? Did they need to pad out the number of pages?
Infrastructure in general has pretty terrible security practices, so I won't bemoan someone finding a useful soapbox to remind them to shape up a bit, even if it isn't the core cause of this particular issue (and it's probably also a reaction to various rumours/speculation about a cyberattack).