(no title)

I think you are saying the attacker did or could have aquired the encrypted customer credentials but not the decryption key.

If that is the case could provide some more detail about the type of encryption to reassure us that it can not be brute forced.