Speaking from experience, the more likely scenario is someone misconfigured a service, left something wide open, which lead to data being leaked. And instead of just saying “ya we fucked up” they blame china and make it seem like some super advanced hack that no one could possibly defend.

But it’s rarely that complicated. Most security departments have been turned into compliance check boxes at this point.