Thought exercise
How would you have designed their systems so that the data¹ can be stored in a way so as to make access more difficult should an attacker be able to breach the database?
I do not know, still thinking. But I guess that my answer would involve separate systems for different types of data, or at a minimum per-column access restrictions, and encryption tied to the IT systems operator authentication credentials. Billing details would not be in my system at all but with a third party specialised in financial systems (in theory they *should* be better at protecting that data).
I don't have experience with this though and would have to research current theory and best practices.
¹ Most of which is needed for providing the service requested and getting paid.
Biting the hand that feeds IT
