That's always possible.    For example:  they might have only had one physical copy of the key,
and the piece of paper got lost or stolen,   or a "hacker" broke into the "offline" server,   snagged a copy of the keys,
and deleted them all.

There are thousands of ways they could have screwed up and lost the keys.


This is why a cautious, responsible company would for sure have multiple backups of the secret keys

plus prevent any one individual from gaining access to them,  by  dividing the keys,  and using a validated system to construct the keys  when required,  requiring participation of  N out of M   of the trusted individuals.

and frequent audits of  customer transactions and deposit balances, to authenticate any requirement to withdraw from cold storage, AND to ensure the vast majority of funds are rolled into cold storage.



Based on the news... there is reason to think MtGox was anything BUT sufficiently cautious, with well-thought-out implementation  of back office security controls.