It was "human error" in that they decided to trust the caller as being legit and give them access to their account again.

One needs to consider the situation where the caller is the legitimate victim of losing their phone and trying to regain access. In such a case, personal details verification should obviously be asked for. How much would be the question.

I suspect the company did not have such a policy put in place previous to this.