I love the responses PWC gave.
"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,"
In other words trying t discredit them. There is nothing in that about the flaw not being real.
But the one that had me laughing at the spin was:
"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."
Makes it sounds like it's an old version that wasn't in use much anymore. But it was announced AFTER the fix. So publish the fix, which is now the "current version of the software" and since it's published "is available to all of our clients.". But really, that doesn't mean that most of your clients are running the patch, it silently sidesteps the whole thing.
And the final one:
"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized,"
Yes, I would expect access to an admin account not to be listed on the main menu, I can believe it's an unlikely scenario. It's not actually hypothetical if it's been done by the security firm, so that part is a lie. The "we are not aware of any situation in which it has materialized" just means "we didn't catch it".