If data is visible, it’s vulnerable. MOVEit was a trusted platform, relied upon by major organizations like British Airways, the U.S. Department of Energy, and numerous other institutions.
However, the MOVEIT breach, which WIRED dubbed the ‘Worst Hack of 2023’, demonstrated that even when a system uses strong encryption during transmission, it can become a liability if it does not apply core data protection principles throughout the entire lifecycle.
What was more interesting was that hackers didn’t even have to crack complex algorithms or bypass deep encryption layers because the data was already in plain text form.
Encrypted on the Move, Exposed at Rest
MOVEit was built to transfer sensitive data securely, and in many ways, it delivered. Files in transit were encrypted and protected using standard transport security protocols. Governments, corporations, and critical infrastructure providers worldwide trusted the system.
But the real problem was not in the transfer. It was what happened before and after.
In 2023, a year marked by advancements in artificial intelligence and growing adoption of zero-trust security models, one of the most significant data breaches occurred through an old and simple method: SQL injection. This technique involves inserting malicious commands into a database through an input field. It is one of the earliest known web attack methods, and yet it still worked.
Before transferring files with MOVEit, the system often temporarily staged them. It briefly stored files while preparing them for transmission. After completing the transfer, the system may log or cache files for auditing and reporting purposes. These short resting periods created exposure points that the system did not always protect well.
Attackers exploited a previously unknown vulnerability in MOVEit’s software. This zero-day flaw allowed unauthorized access to the system through SQL injection. Once inside, the attackers did not need to crack encryption protocols. They found sensitive data in locations where the system had not yet encrypted it, or where the system had already decrypted it. That access was enough, and the impact was intense.
The Impact of MOVEit Breach
The breach affected over 1,000+ organizations and 60 million individuals worldwide, including major enterprises, government departments, healthcare providers, and educational institutions. This data included:
- Full names
- Dates of birth
- Social Security numbers
- Contact and banking information
- Employment and medical records
This was not a failure of encryption during file transfer. MOVEit performed well during the data transfer. The failure happened because the system did not consistently apply encryption where the data was stored briefly.
MOVEit eventually resolved the vulnerability, but the breach highlighted a systemic issue across the industry. Organizations must protect data at every stage, including before transfer, after arrival, and during any form of processing or storage. Even brief moments of visibility can become entry points for attackers.
This wasn’t an isolated lesson. Just months earlier, another trusted name in digital security, LastPass, experienced a breach that echoed the same theme, yet another case where partial protection gave the illusion of total security.
A Breach Without Breaking the Core
LastPass was built for security. It existed to protect the most sensitive digital assets we have: passwords. Billions of them. It promised end-to-end encryption, zero-knowledge architecture, and total user control. And in many ways, it protected that core.
So in late 2022, when attackers breached the system, they didn’t go for the vault. They went for everything around it. They started with a basic compromise of a developer’s account. From there, they gained insight into how LastPass worked, which provided them with a starting point for a much larger breach.
Later, they came back. This time, they went after a senior DevOps engineer’s home computer, exploiting a third-party app to install malware and steal credentials. Those credentials led to the company’s cloud storage, where backups of customer vaults were kept.
The vaults were encrypted. But not everything else was. The attackers walked away with sensitive metadata, including:
- Email addresses
- Company names
- Billing and IP addresses
- Website URLs
- Other customer identifiers
Once again, encryption in theory did its job. But access control, environment hardening, and metadata protection failed. Just like MOVEit, the breach wasn’t a breakdown of cryptography. It was a failure to protect the edges.
If end-to-end encryption truly went beyond the obvious, it would protect even the overlooked, the assumed, and the unguarded.
LastPass publicly disclosed the breach, cooperated with investigations, and implemented several security changes following the incident. Like many organizations targeted by advanced threat actors, they responded quickly to contain the impact and strengthen their systems.
Encrypted Messaging, Decrypted Backups
iMessage was Apple’s answer to private communication. End-to-end encrypted, device-to-device. Not even Apple could read your messages. It became the gold standard for privacy in mainstream messaging.
However, most users overlooked the fine print, which stated that their device and others’ devices encrypt the data, but the system doesn’t always encrypt it while in transit.
For years, users who enabled iCloud backup were unknowingly sending their messages into the cloud unencrypted. Everything they thought was secure was quietly copied to Apple’s servers in a readable form. It wasn’t a bug. It was the system. Encryption was working, but only until the backup was initiated.
So, when law enforcement knocked or someone compromised accounts, they could access messages through iCloud backups, since those were not end-to-end encrypted by default.
It was a case of encryption being optional by the platform’s default settings until Apple introduced Advanced Data Protection in 2022. iCloud backups, including iMessages, remained unencrypted by default, exposing private messages stored in the cloud.
Just as MOVEit failed at rest and LastPass failed at the edge, Apple has shown us how privacy can fail at the default settings. The product was secure. The backup wasn’t. And in the end, that was enough.
Simple Encryption Alone Is No Longer Enough
MOVEit, LastPass, and iMessage all shared a commonality. They were trusted and encrypted. However, in each case, attackers, instead of trying to break the encryption, were searching for the parts that the system overlooked during encryption. We’ve reached a point where encryption at a single point is just no longer enough.
Attackers understand the flow. They track the data through the blind spots, such as where it’s cached, backed up, logged, or paused. And, if they leave any one of those moments unprotected, everything else falls apart.
Note: The information in this blog is based on publicly available sources and official disclosures from the organizations mentioned, including MOVEit (Progress Software), LastPass, and Apple.
The purpose of this article is to analyze broader cybersecurity lessons and data protection challenges, not to assign fault or make legal claims about any specific organization. All analysis and commentary are intended for educational and informational purposes only.
