Throw Away the Key
Encrypt sensistive information in an event and delete the key.
The problem is the same as for Forgettable Payloads: some attributes of an event should not be read by all consumers, and we should be able to delete them, without touching the event store.
Encrypt the sensitive attributes, with a different encryption key for each resource (such as a customer). Only give the key to consumers that require it. When the sensitive information needs to be erased, delete the encryption key instead, to ensure the information can never be accessed again. This effectively makes all copies and backups of the sensitive data unusable.
Throw Away the Key pattern is of course only as good as your encryption and your keey management practices.
Intrigued? I teach workshops about DDD for Messaging Architectures.