Re: encryption doesn't help?
The point is really whether the database itself is compromised, or the code that accesses it.
I was staggered to hear that this is apparently a SQL injection attack. FFS, it's 2015, and a major web site that handles personal financial details is vulnerable to an attack vector that was old news in 2005.
I can sort-of see the point about no legal obligation to encrypt. Most of the information they hold is strictly speaking public. Your name and address are on every letter you receive, your card numbers are available to anyone you pay using a cut-out coupon or old-fashioned card machine, your bank details are on every cheque you write.
In the days of paper transactions, none of this really mattered. Nowadays this public information is supposed to be kept secret. It's security by obscurity on a global scale.