Kroll is a major IT Security Contractor that works for Federal, State and Local governments. They specialize in doing post cyberattack forensics and scaring there customers into all sorts of expensive remediations. However, they never find the culprits and never encourage prosecuting them (even though they employ former FBI). It's like they want the bad actors to keep doing bad things, so they can charge exorbitant fees to 'clean it up'. I mean if they actually found and incarcerated these cybercriminals, they'd eventually put themselves out of business right?
When Kroll does these forensic analysis, they do deep dives into there customers most crucial systems, writing up reports showing where the critical vulnerabilities are. If the hackers got a hold of this data, and the customers didn't remediate properly, they are very likely to be hacked again very soon.
Like the previous SolarWinds Attack, this attack could have widespread fallout well beyond what Kroll, the media, and the government that is the vulnerable customer is likely to admit.