I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing.
So someone with physical access got in. If that's the case you should absolutely file a police report. $250,000 is way past misdemeanor level and there are a limited number of people with physical access.
But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access. So which was it? Was it accessible from the internet, or was it not?