Encryption is viewed by many as "bulletproof" technology to protect data from cyberthieves. Organizations swear by it, and consumers feel overly confident knowing that their recent transactions and personal data are encrypted. Despite the confidence around this "go to" technology, time has shown that encryption is just not enough. In fact, it's failing us.
High-profile data breaches, including Thursday's DoorDash breach, continue. While the details of the Doordash incident — which included the last four digits of payment cards for some consumers, as well as names, emails, delivery addresses and phone numbers — require further analysis, other recent corporate hacks shows us that encryption either did absolutely nothing to prevent hackers from infiltrating systems or, worse, helped disguise cybercriminals while wreaking havoc in organizations' systems.
Doordash is just the latest in a string of cybersecurity incidents affecting hundreds of millions of consumers. In September 2017 Equifax announced a data breach that exposed the personal information of 147 million people. During the incident, an attacker was able to crack into Equifax's system in mid-May and hide within encrypted traffic until the end of July — more than two months without anyone noticing.
In November 2018, Marriott disclosed a data breach that affected 327 million customers, which in my opinion was based on a false sense of security in encryption. Hackers had been hiding in Marriott's system since July 2014, gaining access to a whopping 25.6 million passport numbers in the breach, of which 5.25 million were unencrypted. While it seemed Marriott believed encryption would save the day, the technology was ultimately implemented incorrectly, leaving the organization blindsided during the breach.