It is very, very hard to answer your question as nobody can say for sure which vulnerability has been exploited to gain access to your database server.
Was SSH access via password for root / a sudo user enabled? (Should allow only via PublicKey.)
Was SSH access allowed via iptables from everywhere? (Should allow only specific hosts.)
Which database server did you use? In case of MySQL
Was there a "root" user with access to all databases that was not bound to 'localhost'?
Was access to the database server on the port it is listening on (default 3306) restricted to the hosts using the database (i.e. the Moodle server)? (Again, check iptables.)
Were there any unencrypted dumps of your databases stored on your system?
Finally, you should ask yourself:
1) Do you have any backups (mysql
dump) from which to restore your Moodle? You would obviously want to do this on a better secured system.
2) How sensitive is the personal data that has been stolen? You should definitely contact authorities and notify your users about this security breach!
3) This is more of a security related issue rather than specific to Moodle - you might want to get input from other, more specialized communities.
Cheers and keep your head up