tl;dr version: CISO pays for pen-test, receives ridiculous report. In addition to involving legal, he shares it with a prominent security blogger. Hilarity (and viral hashtag #ScumbagPenTester) ensue.

My favourite bit of the report is probably this:

MySQL configured to allow connections from 127.0.0.1. Recommend configuration change to not allow remote connections.

I

used to put stuff like this in pen tests to see if my boss was paying attention.

This sort of thing happens
in every industry, but what shocks me is that someone would try it on in an area like security. If you know you need a pen-test, surely you know enough to recognise 127.0.0.1?