And it's based on anecdotes like this...
that IT departments in universities say things like "no, staff members can't have admin rights on their devices, there's no need, and if there is we have the keys to the kingdom..." whilst apparently forgetting that the keys to the kingdom are themselves vulnerable to theft or abuse. It wouldn't surprise me if the breach was closer to home than they would like to admit.