While details on how the attack occurred are scarce, it's not surprising that this level of personally identifiable information (PII) was stored in emails rather than secure locations. Email is one of the largest repositories of sensitive information within any organization's network, and is the primary communication mechanism both internally and externally. Within any organization, emails can and will contain all kinds of different information, much of it sensitive. This includes message bodies, attachments, calendar appointments, notes, tasks, contacts, and more. Sensitive information such as what was stolen in this breach shouldn't be available simply by compromising an email account, and this breach demonstrates why it's important to frequently audit networks, including email, to determine which mailboxes, servers, and users represent the most risk for sensitive data. Data Access Governance software can help locate this data, classify it, secure over-provisioned access to that data, and monitor for unauthorized or abnormal data access activity.  Read Less