[paulddraper]

Encrypting at rest wouldn't have solved anything.

They didn't steal the disk. They gained access to the web server, which would have access to the unencrypted data.