I don't see anything in the article to say when he gave the second (wiped) laptop back. I would assume it would be after the alleged hack.
More worrying though is the inference that he used the company WiFi to gain access. There really shouldn't be accessible WiFi that can allow access to production kit. Any remote access should be via some sort of VPN via 2FA. The 2FA alone should have been enough to stop the alleged login as someone else.