Firstly, I doubt that this behavior was not against policy, meaning that employees were not able to do so, but did so anyways. Secondly, the article didn't include they were ordered to create a "comprehensive privacy and data security program" which would lockdown such access further.