The Company believes the unauthorized actor exfiltrated certain encrypted internal ADT data associated with employee user accounts during the intrusion. Based on its investigation to date, the Company does not believe customers’ personal information has been exfiltrated, or that customers’ security systems have been compromised. ADT’s containment measures have resulted in some disruptions to the Company’s information systems, and the Company’s investigation is at an early stage and ongoing.

This reads a lot like a domain controller got popped. Considering that this is the second breach in a short time, and the previous one got access to customer data, I wouldn’t be surprised to find out that it’s either the same attacker or this breach was an access broker who sold credentials to the previous attacker.

That’s just my guess, and I doubt we will ever get a sufficiently detailed write-up to know. But, it seems like a likely way for the attacks to go down.