Inadequate monitoring of databases and privileged accounts, incomplete multi-factor authentication, and insufficient use of encryption are among the errors cited by regulators investigating the leak.