Sounds like inside job to me...
No hacking here as far as I can see (caveat - based on what I've read so far).
Internal login used, quite possibly by employee or at least someone in collusion with the alleged thieves. Eight customers affected. Sounds like their internal systems for flagging this activity worked - or maybe the insider got careless, who knows?
A similar thing happened years ago when I was a manager at another mobile operator (I won't name them, but ee, the stories I could tell you on a one to one basis). An entire team found a way to force these upgrades and drop ship to marked addresses for collection. Nothing wring with systems or security - someone was determined to find a way around it and greed got the better of them.
Was flagged up very quickly, but allowed to continue (to amass evidence) and then the day came when they were summarily dismissed. Quite a few arrested immediately afterwards too.
Sadly there will always be internal theft - no amount of system security and cross checking is going to overcome that completely - after all, you have to trust that the people you are employing in these roles are honest.