Re: encryption doesn't help?
I was staggered to hear that this is apparently a SQL injection attack. FFS, it's 2015, and a major web site that handles personal financial details is vulnerable to an attack vector that was old news in 2005.
It has been old news for rather longer than that. Unfortunately, we as an industry continue to have inexperienced developers with planet sized egos, which reduces the opportunity to apply collective industry knowledge correctly. Couple that with low skilled offshorians, low skilled management, and its a recipe for unending disaster.
I can sort-of see the point about no legal obligation to encrypt. Most of the information they hold is strictly speaking public. Your name and address are on every letter you receive, your card numbers are available to anyone you pay using a cut-out coupon or old-fashioned card machine, your bank details are on every cheque you write.
Yes, sort of, but how many people have that data in one place? Taking that data and exposing it to every tech savvy miscreant around the globe is rather different to the risk of Dodgy Dave intercepting my mail. Especially since in this case taking the risk is needless - its purely a compentency issue or a penny pinching one.