Sounds like their "test" databases used by IT is compromised. The "test" data usually comes from real data with certain fields masked / removed.
Or could be data used for marketing purpose, by outside firms. Each marketing campaign selects clients based on different sets of criteria.