That is a truly terrible thing to happen. Both for the store and the customer.
I have to say that one good thing about using paypal exclusively and
taking MO and check only is that this can't happen to me (fenix-store.com)
because my store doesn't store or even take credit cards. Of course
you have to trust paypal.com's site, but they're a bigger company
and I don't mind them handling my CC transactions.
Mr. light edge, when you get around to it, could you let us know how they
got in? And what kind of software you used? That would help us little
store owners protect ourselves from this happening again.