You guys are absolutely right. The line "the hacker now has access to Joe's back-end data" with respect to GET requests is very misleading in this example.
Allow me a little justification, in my defense.
At a previous company, we were CSRF hacked as follows:
So in our case, the phisher had full access to client data, which is not the case with SIMPLES.COM.
Thank you all. I'll edit the post appropriately.
*hangs head in abject shame
There is no shame in correcting a mistake. I'm sure I've made my fair share of them in writing. :)