I shudder to think what you would actually describe as "bad things"
Well... The sole fact that they are performing unauthorized actions in our servers is a bad thing... But they are not performing DOS attacks nor using our SPs to sell on behalf of inexistent agencies, etc... At least, not yet.


I presume that you have a contract with these people and that there is an AUP in force that has been agreed by you both??????
Have you consulted your corporate lawyers? Are your CEO and CFO aware of this? Is this activity even legal where you are?
This is totally unprofessional and unacceptable behaviour by a business partner. Is their CEO aware of what has been going on?
Well, there is a commercial contract, but not AUP. After detection, our CEO consulted the lawyers and it was determined that this is an illegal intrusion, abuse of trust and probably violation of copyright. I agree this is totally unacceptable. Their CEO is aware of this, this is not just 'some of their guys'.



This isn't an issue of applications or database security, this is a matter of dealing with people you can trust. I presume that you have more than one client............well I can assure you that the others will not be impressed if you don't deal with this.
Well... I agree that this is a matter of trust, or abuse of trust. However they did irrupt into our systems, they did capture information on how to connect to our servers, and they did decrypted our stored procedures (among other things). I am not in a position to defend legal matters for the firm. The only thing I can do is try to protect our servers, so they cannot do any of these things anymore.

EDIT: To make myself a little clearer. You have customers who have employees.........perhaps these employees are not trustworthy? What they have done is unacceptable, but may well have been done without the knowledge and approval of their management.
As I said before, their management was aware of this, and presumably, they even engouraged these actions. Personally, I think that they were trying to put ourselves out of business.

Our management decided that it was better if we kept this quiet, so other clients don't think of our systems as 'not secure'.

I was asked to secure the systems, because if our managment decides to launch legal action, we have to be certain that we can defend ourselves from a full scale attack.

Thanks