One of your apps, encrypted data still leaked. How does that even happen if encryption was in place?

Encrypted-at-rest data can still leak if plaintext values are logged before encryption occurs. A real incident shows how debug logs containing raw sensitive data were shipped to a third-party tool weeks later with no alerts triggered. The fix was strict log filtering at the source, ensuring sensitive data never touches logs at any point in the pipeline.