What are you doing to address the process/structural issues that allowed such a privacy issue to get to production?

What are you doing to address the support issues that allowed such a privacy issue to remain after being reported?

What are you doing to address the issues with the company's prioritisation framework that allowed such a privacy issue to remain for 4 years?

Which authorities are you reporting the privacy issue to in line with local requirements?