Recently Aetna suffered a breach where it lost 65,000 SSNs. They never were able to find an audit trail of what happened which probably hints that the attack leveraged XSS or similar technique.
Are there specific known attacks that the bad guys are repeatedly leveraging for this type of attack?
It's not at all clear at this point that this was a technical failure, and given the inconclusive forensics it seems much more likely to me that this was a human failure, be it social engineeering, data left on a train seat, or a disgruntled employee.
AFAIK the only way to truly leave zero audit trail is for the auditing to have not been written. Logging HTTP traffic alone will always give you some evidence of an HTTP based attack.
There are common mistakes that people make and there are common platforms that people use. Each, if left unpatched would allow somebody to break in using a simple script.
But if somebody was going after something specifically, in this case social security numbers, that have high value in organised crime rings, I would have expected somebody to spend a little more time figuring out how the site worked and applying a custom exploit to grab the data.
I don't see why it has to be XSS either. If their systems weren't sending access logs off-server, or even logging every entry point, there are a variety of methods somebody could exploit an exploitable server and clean up afterwards.
I've seen the results of some automated attacks, and one of the first things they do is disable logging, and delete all logs.
That's why it's common to change logging locations to a non-standard path - it won't do anything against a determined attacker, but it will give you more information in the case of an automated attack.
The lack of an audit trail is not surprising to say the least. Not many companies out there keep meaningful audit trails. Sure, there's often gigabyte and gigabytes of logs, but who goes through all of that? Most IT places would just dump it once it ages enough, so its entirely possible that this breach happened a while ago and they've already dumped the logs since from the article it looks like they did not know about the possible breach until the spam mail started coming in.
I'd suspect poor IT instead of some clever attack that caused the lack of an audit trail.