This blog post from the RSA explains how the attackers gained access to their data.

In a nutshell, the attackers used social engineering to let an employee open an Excel Spreadsheet that contained a Flash object  ( zero-day CVE-2011-0609). Once they back-doored the computer, they used the credentials to gain further access on the network (privileged accounts and systems) and they stole the data.