If they had fallen victim to some undisclosed zero-day, I’d feel bad for them - but in this case it appears to be misconfigured VPC SGs. Their error. Inadequate processes.
We are also all labouring under the assumption that she was the only person to make off with this data.
I’m willing to bet that she’s just the first one daft enough to talk about it.
If the system was designed by humans, it can be hacked.