[ChemicalWarfare]

>>Encryption is not a panacea.

Sure. But it is a good first step, a must really when dealing with sensitive data. Proper encryption at rest, like let's say a 256 bit AES encryption with a symmetric key itself encrypted with a PKI key pair with private key physically stored on a separate physical machine and frequent key rotation procedures in place would go a long way towards protecting the data.

It's not 100% clear exactly what happened at Equifax so it's hard to tell if at-rest encryption would have helped, from what I understand the working theory is that apache struts CVE-2017-5638 was exploited but it's not 100% clear exactly what went on so yes encryption might have not helped in this particular case.

[wglb]

Can you explain how, given that an administrator who has access through the web site can access all the information in the database, and given that an exploit on the front end gets administrator access, how in the world encryption does anything to prevent this? If at any point the web server has access to the data, the game is over. Encryption does nothing.

[ChemicalWarfare]

Well, yea there are scenarios where encryption alone doesn't help, but again it's one of the cornerstones of data safety. Other security measures like restricting data access to a limited set of source ips, masking of the data returned to the browser etc are typically put in place when dealing with sensitive info in addition to encryption of data at rest.

Also, that's not what happened at Equifax, at least based on the "struts vulnerability" narrative that Equifax has been pushing.

[wglb]

Not responsive to the question how in the world encryption does anything to prevent this?