It seems it would be far easier to just mail the company a raspberry pi, a battery and a GSM module. Address it to someone nonexistant so it doesn't get opened for a few days.
The real news is that the wifi didn't use 2FA like the rest of the system.
This wouldn’t make it through building security. My last large corp x-rayed all packages and would notice a nonexistent recipient immediately.