The total mismanagement of customers and expectations after the hack.

It would be naive to say the just the clear oversights in management were solely to blame - you can do everything right and still have data breaches. Far more intricate attacks could be perfected had the current vulnerabilities been resolved.

You can argue "its a big company" all you want and that the responsibility shifted. However, at that position, setting up a shoddy website where customers can see if they were impacted, then request/pay for their own credit freeze, is NOT SUFFICIENT handling of the situation and betrays a long historied past of never having to had handle a situation so grave.

Lives and livelihoods are at stake here. This isn't just a senior software engineer or technical director job where messups only breach trust. A crappy application developer could release buggy software, but one can "delete the app" at the end of the day. You can't uncork this bottle. This is a security position over some of the most personal data available on US citizens.

If there is ANY belief that this person "fell up" through a security role, that needs to be identified.