SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Rebecca 1
#
Data Protection
#
Encryption
#
MFA

You may think your Data is encrypted.  It's not. 

Tue, 18th Nov 2025
By Parker Pearson, Chief Strategy Officer, Donoma Software

How the world's most sophisticated organizations are getting breached, despite "best practice" encryption.

In 2024, a 26-year-old software engineer sitting in Ontario, Canada orchestrated what became known as one of the largest data breaches in history. Connor Riley Moucka was part of a known hacking group known as UNC5537 or Scattered Spider.  He didn't need sophisticated zero-day exploits or nation-state resources. He didn't hack through firewalls or exploit complex vulnerabilities. He simply logged in.  

Using stolen credentials that were not secured with basic Multi-Factor Authentication (MFA), Moucka and his associates accessed Snowflake customer environments belonging to AT&T, Ticketmaster, Santander Bank, and over 160 other organizations. The result? Hundreds of millions of customer records stolen, over $2 million in extortion payments collected, and what security experts now call one of the biggest breaches ever.  

Here's the shocking part: Snowflake claimed all customer data was automatically encrypted by default with end-to-end encryption using strong AES 256-bit keys. So how did attackers walk away with terabytes of sensitive data?  

 

The $2 Million Wake-up Call 

The Snowflake incident isn't an outlier. It's representative of a systemic vulnerability in how modern organizations protect data.  According to Verizon's 2024 Data Breach Investigations Report, compromised credentials are the top cause of breaches again this year, with 71% of web attacks with compromised data involving stolen credentials.  Here are just a few examples:  

  • The National Public Data (NPD).  A data breach exposed approximately 2.9 billion records in late 2023, including Social Security numbers, names, and addresses, for of 270 million people. The company, which provides data for background checks, filed for Chapter 11 bankruptcy in October 2024 and shut down in December 2024 due to numerous lawsuits related to the breach.  
  • Ticketmaster. In May 2024, the hacking group ShinyHunters claimed responsibility for a data breach affecting 560 million Ticketmaster customers. The group offered the stolen data -- including names, addresses, and credit card information -- for sale on the dark web for $500,000. Ticketmaster's parent company, Live Nation, acknowledged "unauthorized activity" in a third-party cloud database environment used by Ticketmaster between April 2 and May 18, 2024.  
  • AT&T.  A data breach occurred largely over a five-month period in 2022.  Hackers accessed and downloaded call and text metadata for "nearly all" of AT&T's cellular customers, along with data from some landline customers (109 million in total). The breach exposed metadata such as call and text records, including who was contacted, when, and for how long.  The compromised data was stored on a poorly secured third-party cloud platform.  

The average data breach now costs $4.9 million. Yet organizations continue investing in perimeter security while leaving their most valuable asset - the data itself - vulnerable during normal operations.  


The Database Encryption Myth 


Many CISOs confidently report that their organization's data is "fully" or "end to end" encrypted. Compliance dashboards show data encryption at rest and in transit, compliance with SOC 2 reports and security certifications.  But there's a critical gap in this story - one that's costing organizations millions and exposing billions of records.  

Traditional encryption protects data in two states: at rest (when stored) and in transit (when moving between systems). But data is at its most vulnerable in a third state: when it's in use being actively accessed, processed, or analyzed.  During normal operations, databases keep data decrypted in clear text to make it accessible to applications and users. Further, while data may be encrypted at rest, the at rest state only occurs when the application is completely shut down. Realistically, this means that data remains decrypted continuously. This creates windows of vulnerability where sensitive information exists in clear text, making it susceptible to attack or human error, both of which can have significant consequences.  

"Encryption at rest" for operational databases and unstructured data is largely a marketing term. Databases are never "at rest" once they're running. 

When your database is operational, even when no user queries are being processed, the data exists in unencrypted form (also called clear text) within the database engine's memory and processing environment. Encryption at rest only protects data when systems are completely powered down, which rarely occurs in production environments.  This means your application is actually running with data decrypted in clear text 24/7, accessible to anyone with valid credentials or system access. 

True data protection requires continuous encryption that keeps information secure during all states, including when it's being used. Until organizations address this fundamental gap, they'll continue to be blindsided by breaches that bypass all their traditional security measures.  

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Oxylabs experts forecast AI bubble risks & browser wars
AI reshapes cyber threats as experts warn on automation
Tenable hack of Copilot AI agent exposes fraud risks
Agentic AI surge in 2026 sparks fresh cyber security risks
AI-driven cyber threats spur surge in intel spending

Top stories

Enterprises pivot to risk-aware, human-centric AI in 2026
Cyber leaders warn resilience gap as boards eye 2026
AI bubble cools as HR shifts to outcomes & new roles
Keeper links identity security alerts into ServiceNow
Safe AI coaches staff to cut cyber attack errors