All credentials were encrypted by a reputable password management service. I claim no expertise to judge the security of the master password but it was very long. Its status as a master password and its use in all respects were fully understood by the Consultancy upon acceptance.
If the Consultancy deemed this password to be unfit for ongoing use, they certainly had the opportunity and the duty to change it.
Who created that account and configured it to use that
particular master password?
If it was someone with basic security knowledge, it's a setup to be able to claim plausible deniability later.
If it wasn't, well, then it's just bad security practices not having changed it knowing its origin.