I don't talk about the source code, that is a separate question. But for the rest : 1) credit card data CANNOT be hashed. Hashing is a one way function, data cannot be restored from hash. Hashing is useless for anything else but passwords in this context. 2) if credit card data was encrypted, then to be able to show/edit credit card information to users via website it has to have access to the credit card information, and have access to decryption keys. And because that key has to be part of the website, it is pretty much useless, unless we talk about database-only hack, which is not what happened here, as this one looks like complete hack including internal systems.