She probably wasn't informed by her IT staff. Who knows who set up the website - them or an outside company? And if it was internal IT staff, were they competent enough to know they had not folllowed good security procedures? However she could have employed an external (read experienced) security consultant to test their security, but obviously didn't.