Welp that answers alot
Interview on the radio over lunchtime had the MD mentioning about an SQL injection attack.
If thats the case, it doesn't matter if the database was encrypted or not (note, encrypted, not hashed). If you can get a direct line to run queries, then unless the data is hashed as well (rendering it pretty much useless for anything other than confirming details like a password or username, unless I've missed a trick there) they've pretty much got the keys to the kingdom.
Also, if true then what sort of trained gibbon do they have running their IT to fall prey to the most basic of basic attacks? Secondly, data siloing, ever heard of it?