Yes, the real security hole was 'operations' not sufficiently validating credentials and being a proper gatekeeper.