Still irrelevant. Maybe try understanding the question. It still won't help though since the question isn't directed to you and you don't know the answer. A system, holding an unencrypted copy of the keys was hacked. He claims this system was not public facing, yet he also claims that the attacker connected from a specific IP. If the system was not public facing, how did the attacker connect to it?
The system was connected to from one of our other boxes which was accessed through a virtual console. The wallet box had all public ports blocked but was able to be connected to from a few of the other boxes.