That's a good question. If the thieves didn't have the CVV1, it should have been a lot harder for them use the stolen cards. I would have thought the "no store" rules should apply to both CVV1 and CVV2 to help ensure that presence of a legitimate card.
--
Edit: if early reports are accurate, and the credit card data was stolen via malware on the POS machines as the cards were swiped, then it would make sense that they would capture every possible piece of data, including CVV1.
--
Edit: if early reports are accurate, and the credit card data was stolen via malware on the POS machines as the cards were swiped, then it would make sense that they would capture every possible piece of data, including CVV1.