I used to work for a web hosting company and we saw this kind of attacks ALL the time.
Most of the cases was because of old CMS versions, but in same others the computer uploading the files was infected and the FTP credentials were stolen (Change your user/password and analyze ftp logs).
I would also check the database and do a clean install of the CMS.
The server could be compromised but I don't think this is the case.
I've just sent an email to Colin about this. Will edit my comment as soon as I have a response.
EDIT: Wow, got a response in less than 5 minutes:
It's not something I'm looking at doing right now. The way the Tarsnap server
side is designed, in order to keep costs low (and performance high), data is
aggregated between multiple Tarsnap users and stored in S3 as large chunks;
keeping each user's data segregated would add a lot of additional complexity
and cost.
Not for now, but they should. The problem is that you need to take your customer to another site and that screws all the transparency (Doing everything in just one site) and simplicity that you have right now.