As my understanding was that the auto-reboot and lockdown of the systems supported by this engineer were the cause of this, the attacker scenario yields to Hanlon's razor here.
The article describes that his former manager was terminated due to a corporate acquisition, and turned into a contract-worker from home "until after the takeover" and that manager never updated the HR system to show the article writer's contract was renewed. So, from the system's perspective, he was to be terminated on 3/1/17, and the system hadn't been told that was no longer true and so it performed it's programmed activities.
>Hundred of thousands of records were missing and the web interface was not responding.
Are you sure you guys didn't have an attacker on the loose?