Only a couple thousand had their Credit Card details stolen whereas nine million had information stolen.
This sounds like they were able to access the database to steal customer information and plant code on the website to scrape any future transactions before the Credit Card information is encrypted in the database.
Credit card information is needed as-is to be able to make transactions so hashing (and thus salting) doesn’t apply. Encryption is the best you can do.