I interpret this to mean that the remote desktop software, that was probably installed semi-officially to allow remote work, didn't have MFA. The fact that hackers were able to obtain the password suggests that this was an ad-hoc arrangment.
It is troubling is that they could leverage one account to gain access to the rest of the system. It seems like the IT people aren't following the same rules (long complicated passwords) that the rest of us are expected to.