This is how hacking is accomplished.
Improperly vetted and supervised IT contractors.
They can’t properly vet IT contractors. Can we expect much for vetting invaders?