The risk has been known for several years now, but it was believed to be low. 

Many other similar risks exist in technology today. But the risk landscape is a rapidly changing one. What was perceived a low risk a few years ago, may not be so low today.

Therefore it's important to regularly review how the risk, or the company risk appetite has changed and changes implemented before an incident occurs.