From the breach notice (my emphases):
... a team of CREST-Approved security specialists have been working with us to urgently investigate this issue. Our findings have shown no evidence that our benefits platforms have been attacked or compromised.
However we have now identified a sophisticated malicious software (malware), undetectable by leading antivirus software, has caused a data breach, leaking some limited personal information without our consent.
Investigations are still ongoing, but we have now managed to isolate the malware, preventing any further leaks of personal information.
So, Sodexo, which is it? Were you attacked/compromised or not?