I've been looking at the various files LulzSec has uploaded from their victims. These include Sony (several different sites on separate occasions), PBS, the game company Bethesda, Fox TV, Nintendo, and a computer security company called Unveillance. They actually defaced the PBS site, posting a bogus article claiming that dead rapper Tupac was located alive.
They also extracted the hashed password file belonging to the Atlanta chapter of Infragard, an FBI-affiliated organization, and cracked a bunch of the passwords. The site is now offline.
My initial impression is that these folks are using some fairly simple attacks, like SQL injection, to retrieve a lot of the data. Note that in most cases they didn't actually deface the victim. I suspect they would have if they could have. Thus, they're taking advantage of the weaknesses they do find.