Yup. One of my clients got hit a couple of years ago. Nasty. We had all the security boxes checked at the time, but it got in anyway. Encrypted everything, which was the bad news. The good news is that we could check the router logs and confirm that none of the data had been exfiltrated. All attempts were blocked because Tor was blocked.
That sucked, but we were able to recover everything from offline backups. Even the delta from them was recovered when a decryption tool became available a couple of months later. We didn't have to go out and get a credit monitoring service for the entire customer base, which would have bankrupted the place.