Encryption
Encryption might not have made any difference. If they just used SQL to query the data out of the database then it doesn't matter if it was encrypted at rest or if the channels the data travelled over were encrypted.
Allowing SQL injection usually means you developed your website in an old framework that didn't block it by default (like classic ASP or early versions of RoR) or that your devs over-rode the defaults to make their code easier. Also that you didn't run any number of automated pen-test tools against the site. Or that you ignored the results if you did.
Biting the hand that feeds IT
