This is based on only what I read here:
But can someone explain to me why someone could connect any random USB drive to a computer here? Or why a DLP product either wasn’t being used or a policy wasn’t in place to track these types of documents?
There are so many different ways out there to protect and/or prevent USB devices from being connected. A security policy can be enforced via an Endpoint Protection product, Group Policy (on Windows devices) or other means for various other OS’s out there.
Also a good Data Loss Prevention product can have policies detect confidential data from being copied over. Both structured data and unstructured data.
Seems like a lot of tools either were not in use or not configured.
Just remember this is based only on the information in this post