I mean... how do you tell if you've actually breached the database without running a query?
This is the classic penetration test problem. (result is that you either 1. need a waiver going in, which doesn't apply in this case, or 2. pretend you didn't see anything)
The staffer being fired is standard damage control. "Locked out until you prove you don't have the data" is standard dirty politics.
I really don't think it was done maliciously given the timeframe of the vulnerability, and the fact that they reported it so fast. The bad news is, "it isn't as bad as it looks" doesn't matter as much as the fact that it looks bad.