An organization's information security manager is performing a post-incident review of a security incident in which the following events occurred:

• A bad actor broke into a business-critical FTP server by brute forcing an administrative password
• The third-party service provider hosting the server sent an automated alert message to the help desk, but was ignored
• The bad actor could not access the administrator console, but was exposed to encrypted data transferred to the server
• After three (3) hours, the bad actor deleted the FTP directory causing incoming FTP attempts by legitimate customers to fail

Which of the following poses the GREATEST risk to the organization related to this event?

A. Removal of data
B. Downtime of the service
C. Disclosure of stolen data
D. Potential access to the administration console