You can install as many security mechanisms as possible if the users act carelessly in the end. Social engineering is a broad field, so you can't say exactly how the hackers got to the data, but it often happens via a personal mail asking to change the password and then redirected to a fake site. It is difficult to prevent such mistakes from individual users.