It looks like a third party may be the cause of this breach. No matter how secure your own domain is, you are only as weak as your supply chain. 

Companies need to protect themselves with an 'outside in' approach to protecting their domains and customer data.