Two hacks this month should end the conversation about encryption as a cure-all.
The first was loud: a cyberattack on Kettering Health knocked out patient portals, canceled surgeries, and left doctors scrawling notes on paper charts. The second was quiet, but just as revealing: 410 gigabytes of heap dumps leaked from TeleMessage, a company that sells government-friendly versions of Signal, WhatsApp, and Telegram. Those files included group chats, metadata, even plaintext messages, all from apps that supposedly offered end-to-end encryption.
Different vectors. Same problem. The data was there to be taken.
We spend billions encrypting, backing up, and securing systems that store sensitive data, and then we act surprised when that data is exfiltrated, cracked, or published. But encryption doesn’t always make information safe. It just slows attackers down. If the data exists, it can be stolen. If it’s stored, it can be decrypted. And if it’s sitting on a server, someone will eventually find it.
The security industry has a tendency to confuse “defended” with “invisible.” But the only truly secure data is the data that doesn’t exist anymore.
The Persistence Problem
Most security frameworks focus on controlling access. But access control only works if you trust the environment. In practice, even the most locked-down system still has to store, transmit, and eventually surface data to someone. And the moment it does, that data becomes vulnerable.
In healthcare, it means entire hospitals grinding to a halt when digital records go offline. In intelligence circles, it means sensitive messages sitting on archive servers, waiting to be discovered. It only takes one credential, one leak, one misconfiguration, and the whole system collapses.
The problem isn’t just that data escapes; it’s that it replicates so easily. And the more it spreads, the harder it is to defend.
This isn’t theoretical. We’ve seen attackers walk out with credential databases, message logs, and internal files that were supposed to be encrypted. Increasingly, those files live inside chat platforms like Slack and Microsoft Teams; places where sensitive conversations are logged, archived, and often integrated with dozens of other tools. The reason attackers succeed isn’t just poor configuration. It’s that the data was there at all. It remained in storage, indexed and backed up across platforms that were never meant to handle that level of sensitivity.
The problem isn’t just that data escapes; it’s that it replicates so easily. And the more it spreads, the harder it is to defend.
What Secure Should Actually Mean
Instead of obsessing over how well we can store sensitive data, we should be asking why we’re storing it at all.
If something is sensitive enough to require encryption, it probably shouldn't be sitting around in the first place. While an argument can be made that some type of data does need to be stored, the bulk of what the average organization stores, does not. Communications that contain credentials, approvals, or personal identifiable information don’t need to live forever. They need to reach the right person, be verified, and disappear.
A better architecture starts with identity. Who is sending the message? Who is retrieving the file? Are they who they claim to be, and can we prove it every time? From there, security needs to be built into the interaction itself. Not layered on after the fact.
Messages should expire. Files should “self-destruct” after use. Approvals should only be valid within a trusted session, tied to a verified identity. Sensitive communications should never linger in inboxes or live on third-party platforms without strict expiration and retrieval controls.
The goal shouldn’t be more digital vaults. It should be reducing exposure altogether.
And yes, that’s exactly the approach we take with the platform I co-founded (traceless.com/!). But I’m not pitching. I’m arguing for a shift in mindset. A shift away from systems that hoard data and toward ones that verify and vanish. The whole reason we started this company was because we were working in other industries and saw that this was the need. We wanted it for our companies, and no one was offering it! So Peter and I created it for ourselves!
The assumption that everything needs to be stored, backed up, and archived is a holdover from a different era. When communication was slow, when bandwidth was expensive, when records were paper. Today, information can be transmitted securely, verified in real time, and then removed from the system entirely. That’s not a radical idea. It’s just overdue.
Security doesn’t come from encryption alone. It comes from reducing exposure. From minimizing what exists. From asking, every time, whether this message, this file, this approval really needs to live anywhere beyond the moment it was used.
Data you don’t keep is data that can’t be breached. That’s the model we need more of: one where security is built not on secrecy, but on simplicity. One where communications expire by default. Where verification is part of the flow. Where leaving no trace is the goal, not a bonus.
Until that shift happens, breaches like these will keep happening for the same reason: too much trust, too much data, and not enough control over either.
- Gene
Want to see Traceless in action? Book a quick demo with us HERE!