You are correct although it seems a bit under-reported.

How does a senior engineer have control over millions of dollars without review?

I also am somewhat skeptical of this one-click PDF hack. They used a zero-day for this attack? In Chrome? Why hasn't this been discussed if so?

I'd speculated previously on this, but that could be fairly trivially accomplished with signature requirement extensions. here's my prior comment:

We had an employee compromised by a similar attack-executable linked in a Pdf.

Basic flow was-phisher asked employee to sign a document relating to customs. The phisher had gathered that this employee works with shipping claims and returns, and surmised that they need to deal with customs documents requiring signature. There was a link to an exe hosted on a European cloud service in the PDF titled "install fake signature certificate company to sign this document". This directed to a download of a basic ransomware executable. This did get past our AV to the point of encrypting the employee's machine, but thankfully was blocked from spreading to the rest of the network.

The employee's machine was toast, but I was able to restore from the prior day's backup and no major harm occurred. I was able to see the phishing attack since we use gsuite email so the ransom ware didn't erase the employee's inbox, but they did lose a half-day work and I updated our training. The attack itself was clever from a social engineering perspective, but the technical exploit was something any script kiddy could have downloaded from the open web, nothing advanced at all. But Gmail doesn't always scan links in PDFs, so a clever ruse was able to bypass Google's scanning as well as our local scanning.