[InsomniacL]

Only a couple thousand had their Credit Card details stolen whereas nine million had information stolen. This sounds like they were able to access the database to steal customer information and plant code on the website to scrape any future transactions before the Credit Card information is encrypted in the database.