https://www.cbc.ca/news/canada/calga...ctor-1.6898118
To me, all signs point to an intruder or malware was successful in penetrating their environment and lurking/staying dormant for long enough that they don't know what devices and accounts and systems are compromised because of the spread of the malware or by potential lateral movement.
That explains why they might be wiping all accounts and rebuilding from scratch as well as replacing all endpoints in phases because they have no way of knowing that even if they restore all systems that attacker hasn't hidden backdoors, worms, etc. that could be reactivated after the all-clear.
So in this case, it's not so much about time for restoring backups, but a complete decontamination and clean sweep of all systems. That also indicates to me that given the timeframe, that the backups might have also contain those same backdoors and malware so they would need to be very careful about what to restore. If they surmise from the SIEM and forensics that someone has been poking around their network for the past 6 months undetected for example - how can you safety restore from backup without losing 6 months of business changes?