> they had to hire an "incident response provider" just to figure out what happened and clean up after the hack

Plenty to criticize them for, but that's totally standard and not something to ding them for. Probably something their cyber insurance has in their contract.

Forensics is its own set of skills, different from appsec and general blue team duties. You really want to make sure no backdoors got left in.