I've been looking at the various files LulzSec has uploaded from their victims. These include Sony (several different sites on separate occasions), PBS, the game company Bethesda, Fox TV, Nintendo, and a computer security company called Unveillance. They actually defaced the PBS site, posting a bogus article claiming that dead rapper Tupac was located alive.
They also extracted the hashed password file belonging to the Atlanta chapter of Infragard, an FBI-affiliated organization, and cracked a bunch of the passwords. The site is now offline.
My initial impression is that these folks are using some fairly simple attacks, like SQL injection, to retrieve a lot of the data. Note that in most cases they didn't actually deface the victim. I suspect they would have if they could have. Thus, they're taking advantage of the weaknesses they do find.
In the case of the US Senate, it looks as if they acquired "shell" access to the Senate's web server. They didn't need heavy-duty administrative access to retrive the data. All of it is readable by the Senate's public web server and most is accessible via the Senate web pages. Some of the information, though, would be hard to retrieve without executing some commands one doesn't usually find on a web server. For example, the list of volumes and of recent incoming SSH connections are not things one usually retrieves via web software.
Disclosure: I, too, am associated with Infragard. It's an organization that provides a liaison between government security organizations and nongovernment entities involved in infrastructure security. The FBI provides the liaison on the government side.