Wow that's bad. When someone has full control of your routers you can never be sure what they made off with. Remember that not everything is secured with TLS/SSL. Heck think about all the traffic that is unencrypted that isn't HTTP. Someone exploiting the management port of IOS could conceivably just log all data and review at their leisure. Wiping IOS was most likely to cover their tracks.
What frightens me even more than Luke taking the edge routers to Anchorhead, is this phrase: "When we received alerts and reports from customers, our operations team began to check our infrastructure." which suggests that they didn't have monitoring in place that could detect and alert on even such a coarse-grained event.