Anyone who has suffered a significant breach where authentication systems are suspect knows that likely you'll have to build a parallel 'clean room' system where the legacy system a d infrastructure are completely untrusted, from hardware firmware and software, then there are policy changes, etc. That can easily pass into millions territory. It's laughable to claim simple defacement.