It isn't obvious the server was hacked at all, not that it's much better. A user with legitimate access to the box might well be responsible. Naughty, very naughty...
Absolutely. Any thorough investigation should start with an internal audit, since that doesn't even require initial compromise. If the hacker was any good, they'll never know where he came from, or where he went. They'll need someone good to find him/her, and the best leads would probably come in where he was continually collecting any data from those external probes, since it would be a repeated action. I doubt any of that will ever be shared externally, though, just not smart since that exposes their security/methods as well. Their situation sounds so loose they probably need an external review.