"how were they able to browse on the kiosk in the first place?"
Most kiosks are just PCs with locked down configs, often just using a browser in kiosk mode instead of the normal shell so all it would take is not having the proxy/firewall stopping it and browsing would work fine.
Obviously on a well set up kiosk you couldn't browse, but kiosks are often implemented by first timers (as in first kiosk, not inexperienced staff) since it's not exactly the sort of thing you'd become an expert in and go consulting. Because of this it's likely many of them have "obvious" security holes. You're looking at this with 20:20 hindsight, but would you have thought of everything if you started fresh? Even with a thousand el reg vultures poring over your config?