Whenever someone is hacked for weeks after there are articles, some with speculation to what happened. Often the theory is SQL injection but in cases like: Sony Pictures Entertainment, Sony, PlayStation Network, Target Corporation, United States Office of Personnel Management and likely Tesco Bank no one will ever know the full facts. Here are some of my own personal theories not in order and yes some are less likely....

Web platform
Many recent attacks have gone after layer seven (the application, i.e. port 443 or 80). SQL injection is common which could disclose records in a database or it could have been a loophole which lets someone get into another account without valid credentials.

Company infrastructure
General infrastructure is often separate to websites but is still linked. Malware on an endpoint (or server) or a comprised mail server are possibilities.

Privileged account
High powered accounts often login using the same method or website as normal users do to login. Password guessing or spear phishing could have gained access to a bank administrator account.

General phishing
Phishing (mass market) has existed for well over a decade and many banks, finance and logistics firms are targeted daily. However, to get lucky and get valid credentials for thousands of accounts is unlikely and this would take weeks or months to do.

Accidental loss
Remember the old days of councils and central government departments having laptops stolen or leaving USBs in car parks? Though less likely it is a possibility data was burned or saved to a USB/CD and it was lost or stolen. Even less (very) likely someone broke into a data centre or found an old hard drive with data remanence on. Perhaps 20,000 records were sent to the wrong email address or uploaded to an insecure file transfer website.

The insider
All sorts of numbers fly around, from 50-79% of attacks having an insider element. Either someone is part of a crime gang or sells the details on the black market.