Totally agree. My guess — and it’s obviously nothing more than that — is that they don’t fully know yet, but it might seem better and easier to solve than the alternative that there’s very little organizations in this position can ever actually do to prevent sophisticated attacks.
The fact they were unaware about the breach until FBI told them says much. It's not that easy to exfiltrate 6TB of data unnoticed if you have any IDS (automated or just manual) in place.
Having an IDS in place means jack shit if you don’t have skilled personnel managing it.
Depressingly often, these things are installed as part of a box ticking exercise to pass an audit or meet another form of compliance. however they never get set up right from the outset or the security professionals who were there leave and never get replaced.
In this case, if they’re talking about infrastructure available on the public internet with password only authentication then I’d wager any skilled professionals they may or may not have had, had already left. Because no security minded engineer would have okayed that practice. Which means even if they did have an IDS, I’m highly doubtful that would have been managed properly either.
