No shit sherlock, but that's is irrelevant to my question. He claims "this box was not public facing", then provides an ip that the attacker connected from. So which is it? How did the attacker connect to a box that was not accessible?
there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hackingStill irrelevant. Maybe try understanding the question. It still won't help though since the question isn't directed to you and you don't know the answer. A system, holding an unencrypted copy of the keys was hacked. He claims this system was not public facing, yet he also claims that the attacker connected from a specific IP. If the system was not public facing, how did the attacker connect to it?