They have not been able to establish how exactly the hackers broke into the system, but believe it may have been through a so-called spear-phishing attack, where an employee clicked on an email or link containing malicious code.
The rise of social networks, for example, has aided an increasingly common kind of attack known as spear-phishing, says Greg Bell, global service leader for KPMG's information protection practice.