The real issue is why did they have human L/P access on their PKI system. Usually unclass systems require PKI regardless of L/P. Even the DOD contracting system requires both.

And if they did not have L/P then the issue is far more concerning in that PKI was compromised.