I think what Brandon is trying to say is that the files were never online. They were stored properly behind a firewall and secure servers. The hackers got behind the firewalls and into the secure servers. Which is no small feat, unless there was a major security flaw or you had the keys. Which points more likely to a disgruntled employee.
Now this should be a lesson to all businesses to not trust firewalls and secure servers, and go one step further and encrypt sesitive documents. It's a pain in the ass since you have to decrypt every time you access it, and it takes up a lot more server space. But for all we know, they also could have been encrypted.