Who pays for the milk?

I have another scenario, set in the near future, from the Internet of Everything.  I've read stories about smart refrigerators that can order items when you’re about to run out of them so let’s pick milk.  And of course since it’s a smart refrigerator, it’s connected to the public Internet.  The situation might unfold like this.

On a Thursday a young hacker unleashes a piece of code that targets a popular brand of smart refrigerator with a known vulnerability.  This simple piece of code tells the device to order a single gallon of milk every day (even if there is milk in the refrigerator).  The milk is delivered to people’s homes but after a few days they refuse delivery because they already have enough.  A particular supermarket chain, one that has analytics in place for its logistics & distribution systems, notices a pattern because it’s always the same kind of smart refrigerator that continues to order a single gallon of milk every day.  Hundreds of thousands of customers are affected so the supermarket chain halts all orders coming from this particular make & model of refrigerator.  People complain that they have to manually purchase groceries but there are also billing conflicts because people don’t want to pay for items they say they did not order.  Eventually with assistance from the supermarket chain, the manufacturer of this particular smart refrigerator patches the vulnerability that allowed the hacker to insert the bad code.

But as always with the Internet of Everything, who is responsible?  Who is the responsible party in this situation and what are they responsible for?  The people who owned this make & model of smart refrigerator configured it to automatically order items as needed.  The manufacturer sold a device that had a vulnerability.  The supermarket chain automatically accepted orders from customers who setup accounts with them.  Metaphorically the question is, who pays for the milk?