It’s a war we rarely admit we’re losing.
Every hour of every day, 24/7, 365 days a year, the siege continues — digital battlegrounds humming quietly behind the screens of everyday life.
Headlines erupt when a major breach breaks through — Qantas, Discord, Boeing’s supplier, Red Hat — but most of the time, the war is invisible.
The truth? We’ve built fortresses around treasure chests we clearly can’t defend… and then kept filling them anyway.
We’ve become numb to it. Another headline. Another apology. Another “we take your privacy seriously.”
Yet this war doesn’t pause. It doesn’t respect business hours.
And while most organisations are still reacting, the attackers are evolving.
The Legacy Feast: How We Became Data Gluttons
Once upon a time, collecting information was simple.
We asked for what we needed to serve our customers better — names, addresses, a few preferences.
Then marketing wanted more. Then compliance. Then KYC, CRM, analytics, and “personalisation.”
Each new era turned the data tap wider. Each system update or regulation justified “just one more field.”
Over time, organisations began feasting on customer data — storing everything, duplicating it across systems, creating endless mirrors of the same person in slightly different forms.
We called it insight.
But in truth, it became data obesity — a corporate addiction to information without digestion, protection, or restraint.
And while “cyber security” became a buzzword and focus, the reality was the horse had already bolted.
We’ve been conditioned to believe more data means more control.
In reality, it has become our dependency — something we invest in, protect, and excuse, even when it keeps proving to be our weakness.
The Fortress Fallacy
We have always been drawn to safes and fortresses to protect what’s valuable.
So naturally, we carried that mindset into the digital world.
Over the years, we’ve built digital fortresses — firewalls, encryption, SOC teams — wrapping our data in layers of defence, with treasure troves of information sitting inside where employees could freely access them.
But like any master safe-cracker, hackers rise to the challenge.
The rewards are rich, and the tools of trade are powerful.
What began as small-scale theft has evolved into a multi-billion-dollar global industry.
These modern thieves invest heavily in their weapons, searching for vulnerabilities to exploit.
And in this continuous daily battle, it only takes one moment of weakness — one unpatched system, one human error — for all the defensive work done day in and day out to collapse, delivering hackers a massive payday.
Once an attacker breaches the wall, they don’t find scraps; they often find banquet tables.
Entire CRM databases, identity verification portals, support attachments — ripe with data that can ruin real lives: government IDs, phone numbers, addresses, transaction histories, medical records.
Every “breach response” sounds the same: We take security seriously. We’re investigating. There’s no evidence financial data was compromised.
But the damage is already done.
A phone number plus a date of birth can be enough to unlock identity theft, fraud, or targeted manipulation.
The Hidden Cost: The People Left Exposed
When an organisation is breached, it becomes a news cycle.
When a person’s data is breached, it becomes a life cycle.
Because of the sheer number of data breaches globally, most individuals today have no idea which incident truly exposed them.
By the time the phishing calls start, or the fake loan appears, the link to the original leak is untraceable.
The penalties, regulatory fines, and class actions may look impressive on paper — but they rarely make their way to the victims.
They bear the emotional and practical fallout of decisions made far above them — decisions that began with a simple assumption: “let’s just keep that data; we might need it.”
Somewhere along the way, both organisations and customers accepted this as normal.
Breaches became background noise.
Outrage turned into resignation.
And so the cycle continued: we collect, they steal, we patch, repeat.
The Why Question: Do We Really Need It?
It’s time for a reality check — a rethink — and the question leaders need to resurrect: Why?
- Why are we keeping full dates of birth instead of just age bands?
- Why do we store years of customer communication history “just in case”?
- Why does that department need full visibility of every customer record?
- Why do we duplicate data across systems that can’t talk to each other securely?
“Because we always have” is no longer a valid reason.
Every additional field collected is another jewel to protect.
Every backup, every integration, every export multiplies the blast radius.
Data Obesity Has Consequences
Like any addiction, data hoarding feels harmless — until it isn’t.
The Qantas breach wasn’t about hackers chasing credit cards; it was about exploiting a third-party contact centre platform holding millions of customer profiles.
How much of that information was truly necessary?
Discord’s incident showed how even verification uploads — ID photos, support tickets — became gold mines for attackers.
Each case reflects the same pattern: How much data do we really need? For that long? In that many places? And are we encrypting at the source?
The fortress can’t keep up because we keep feeding the beast inside it.
A Radical Shift: Protect the Jewel, Not Just the Castle
It’s time for a rethink — a new mindset that challenges our habits and legacy systems.
Because while we may be heavily invested in the way things have always been done, the evidence is clear: our clients remain exposed.
If organisations are going to capture personal information, they must be accountable — really accountable — to the people they collect it from.
What’s the true risk-benefit to the organisation?
Because right now, the risk to customers is too high… and they have almost no say.
Protect at source.
Treat each piece of data as if it were its own vault, not part of one giant treasury.
That means:
- Minimising collection to the essentials.
- Encrypting sensitive fields individually, not just the database as a whole.
- Tokenising or pseudonymising wherever possible.
- Automating deletion so data doesn’t live beyond its usefulness and compliance requirements.
- Redefining access: who really needs this data to serve the customer?
And yes, every one of us has a role to play.
Two-factor authentication, strong passwords, and privacy settings — these are no longer optional.
They make a difference.
And links from any organisation should be a thing of the past.
Customers should always go directly to a verified website for information, because links — especially in emails and texts — remain one of the most weaponised tools in a hacker’s arsenal.
Yet even with these protections, much of our personal data has already been circulating for years.
The least organisations can do is ensure what they hold next is truly necessary — and truly protected.
From Data Gluttony to Digital Integrity
Boards and executives often ask, “How can we ensure this never happens again?”
The answer isn’t just more software — it’s self-discipline.
Becoming lean with data is an act of integrity and maturity.
It signals that you value your customers not as assets to exploit, but as people who have entrusted you with fragments of their lives.
This is where leadership meets ethics: choosing not to collect because you can, but because you must.
A Pause Worth Taking
We’re losing the cyber war not because we lack the tools, but because we keep expanding the battlefield — and the pace of our weapons continues to accelerate at an alarming rate.
So rethink this: every unnecessary record, every unexpired file, every forgotten upload widens the target.
If we truly want to protect our people — our customers — we have to go on a data diet.
Shrink what we keep. Guard what remains at its source.
Because the real cost of a breach isn’t measured in fines or headlines — it’s measured in trust.
And trust is the one currency no organisation can afford to lose again.
The next time your team proposes collecting a new data field or retaining customer records “for analytics,” stop and ask:
What risk are we adding — and what value are we truly creating? What way do the scales really tilt?
It’s time to rethink, reduce, and rebuild.
Protect the House by protecting each jewel.
Because once the fortress falls, what’s left is reputation — and reputation cannot be encrypted.