Is there any reason they do not mention who is the "globally recognized cybersecurity firm"? Also I did not find them mentioning anything about honesty :).

Is there anyone building their SaaS with security-first principles?

Summary from the article: Someone got access. We don’t know who or why. They didn’t change anything and we will assert they couldn’t have. We will be throwing a contractor we work with under the bus for this one.