Citrix confirmed that the hackers who successfully breached the company’s network stole sensitive personal information of both former and current employees and were able to access internal assets for about six months.
— Sergiu Gatlan
Even somewhat unsophisticated attacks like password spraying or credential stuffing can give someone the foothold they need to access sensitive information. In this case it sounds like an HR system. What surprised me about this story was that it was the FBI that notified Citrix of the breach on March 6th.
NBC News says that the attackers were Iranian-backed and managed to make off with 6-10TB of documents.