Now it's hit another global player: At Microsoft, unknown attackers had access to Microsoft Web Mail services between January and March 2019. They seem to have gained access via the stolen credentials of a Microsoft customer service employee. In addition to e-mail addresses, they were also able to view mail subjects and folder names. The affected users were unlucky: they were advised to change their passwords and beware of phishing attacks.
Once again, a large corporation is handling its customers' data too carelessly. This time Microsoft has been caught. The company advises those affected to take security measures. A bit late. Especially since private users can often do little themselves, in most cases they have to rely on the security measures offered by their provider. However, companies have additional options to protect themselves against unauthorized access.
In any case, it is worth protecting the entire e-mail traffic - e-mail content, the subject and attachments. Encryption is the best method. However, it is not only important to encrypt the data during transport between sender and recipient, but also "at rest" and "in use". The reason is obvious: In the case of Microsoft, an employee's credentials were stolen in order to gain access. If the user's data had already been encrypted at that time, however, the attackers could only have captured useless data. In addition, Microsoft employees seem to have free access to e-mail communication of the customers. Here, too, encryption could have helped to prevent third-party employees from gaining access.
But beware: when it comes to encryption, it is always important to know who has control over the cryptographic key needed to encrypt and decrypt the data. You have to be careful whenever the provider offers "BYOK - Bring your own key". This means that the company itself generates the cryptographic key, which of course sounds good at first. The disadvantage, however, is that the company then has to hand over the key or part of it to the provider so that he can encrypt the data. He therefore inevitably gives up control over the encryption process. But whoever controls the key also has access to the data! With this in mind, the BYOK concept is of course much less attractive.
That's why it's important to know, that only those who control the cryptographic keys and the entire encryption process have complete control over their sensitive data. This works, for example, with an encryption gateway such as the eperi Gateway.