armchair quarterback comments:

The one thing that I would be concerned about is why didn't they move the source after they first detected the potential attack? This is their bread and butter (proprietary info). It sounds like even after the rebuild he didn't patch for the issue and still used the open preview pane option.

I think their security geek needs to review the procedures and practices.