Hello Judgement!

Were you able to determine what information has been accessed that shouldn't have been?
Yes we were. They did not accessed our SQL tables. They only used the proper stored procedures to perform their business operations. They did not perform any incorrect operations.
The thing was that they accessed directly our SQL Servers, without going through the proper channels.

Depending upon which state your company resides may dictate whether you may remain quiet about the breach of security or not.
One of the things I learned from this thread was to also consider the legal aspects of the intrusion. So far, I had a very narrow vision of things, and I just saw only the technical aspects.

I don't know what the law says here about that, I will ask for legal advice.

Thanks!