Cyber security would identify the initial ingress route, not information governance.
It's more likely an indication of poor understanding of their own infrastructure, lack of forensic capabilities or lack of engagement with third party security vendors.