1. Most companies, even large ones, do not encrypt everything. Some do, usually because they have to according to some regulation of the space they operate in (HIPAA for example).
2. Passport numbers are a grey area. Is it public information? Is it private information?
3. Even if you encrypt your database, the key will most often be lying next to it. Unless your company really cares about security, because they have to by design, they will most often not architect an infrastructure that protects the key.
4. The systems that use the encrypted data are themselves vulnerabilities; if the attacker can collect the data through systems that can decrypt the data for them, then they may not even know that the data was encrypted. Attacks on these kinds of databases are often through services and not by just taking the database wholesale. Thus encryption is not really a robust protection against theft, it only protects against theft via discarded media and the like.
Numbers are too easy to crack by enumeration. You can just enumerate all possible passport numbers, encrypt them, and compare two hashes. It takes seconds on modern CPU. Even if salt is used, all 5E6 records can be cracked in about 2 months on modern desktop, or in 1 day on 60 node cluster.
Passport record and number of passport record are protected by Privacy Act[1].
(4) the term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph;
1. Most companies, even large ones, do not encrypt everything. Some do, usually because they have to according to some regulation of the space they operate in (HIPAA for example).
2. Passport numbers are a grey area. Is it public information? Is it private information?
3. Even if you encrypt your database, the key will most often be lying next to it. Unless your company really cares about security, because they have to by design, they will most often not architect an infrastructure that protects the key.