I would bet it was one of their own techs...
I think this smells very much like an inside job.
Network security (more like the total lack there of) between servers has always been a "pet peave" of mine.
IT departments want little or no firewall between servers so they can push updates, quickly and automated. Well when the system has that many rights it can be greatly abused by someone inside who is (pick one of the following) bored, needing extra cash, vindictive, or just plain crazy.
A very large company that handles people medical records that I once worked for had all the servers open to people handling customer service (OUTSOURCED to a company that handled Nextel customer support... Yes that's right customer support for a wireless phone company had access to medical records of one of the largest medical insurance providers out there.
To make a long story, short, a bored NEXTEL rep, accessed the voice records, for the customer support (stored them on thumb drive and walked away). They fired him but who knows what he did with all that information.
This Hannaford is much more complicated, so I'd say it was a member of their own IT (unless they outsourced that to some techs form India) this time.
Unbelievable....Shame, shame where are the internal controls people!!!!!!