Not to defend anyone, but knowing universities as I do, the data in question were perhaps in the hands of a bunch of postdocs, and not subject to any centralized protocols.
It said it was servers that were compromised though, right? So you'd think there should be backups of the servers' data drives. I could understand if it were just people's desktops that they're not supposed to be storing sensitive stuff on anyway.
