[paulajohnson]

#3 bugs me. It gets asked every time there is a breach, but its irrelevant.

Encryption at rest is only useful if the only way to access the data is to type in the key. But for Equifax there are going to be hundreds or thousands of accesses per second. If you encrypt the data then you have added no protection at all because you still have a huge pipeline out through an always-on decryption mechanism. Any attacker is going to access the data through that mechanism and ignore the encryption completely.

[danpalmer]

It depends on how they get access, and it can prevent some types of access. For example, they can’t steal backups, and they may need access through a web app server that has the database key rather than being able to go directly to the database. It’s not a catch-all solution but it is correct security practice and they should have been doing it.

[smsm42]

Depends on vulnerability. If you have RCE (like I understand Equifax had) then encryption at rest is useless, the code can access the data, obviously, so the RCE code can too (maybe with a little more work, but ultimately it is not a barrier anymore).