Is Your Data Already Compromised? The Post-Quantum Question

The question is not whether quantum computers will break current encryption. The question is whether the data encrypted with current algorithms has already been captured by adversaries who are waiting for quantum decryption capabilities. The answer, for any organization that has transmitted sensitive data over the internet in the past decade, is almost certainly yes.

This is the harvest-now-decrypt-later (HNDL) threat. It is not a future problem. It is a present condition. The harvesting has already happened. The decryption is what remains in the future. And once the data is harvested, there is nothing retroactive you can do to protect it. The encryption that protects it is fixed at the time of transmission. If that encryption was RSA-2048 or ECDSA P-256, the data will be decryptable by a sufficiently powerful quantum computer, regardless of any migration you undertake after the fact.

What Has Already Been Captured

Intelligence agencies have been conducting mass collection of encrypted internet traffic for over a decade. The Snowden disclosures in 2013 revealed that the NSA's UPSTREAM program tapped fiber optic cables carrying internet traffic, collecting the encrypted data streams that passed through. The XKEYSCORE program provided a searchable database of collected internet traffic. The MUSCULAR program, conducted jointly with GCHQ, intercepted traffic between data centers of major internet companies.

These programs collected encrypted data specifically because the agencies could not decrypt it at the time. The data was stored with the expectation that future capabilities -- including quantum computing -- would enable decryption. This is not speculation. The NSA's own research priorities in quantum computing, documented in leaked budget documents, explicitly reference the goal of breaking public-key encryption.

The United States is not the only actor engaged in HNDL collection. China's intelligence services have been implicated in mass collection of encrypted traffic from undersea cables and through compromised network equipment. Russia's SORM system requires telecommunications providers to install equipment that enables the FSB to intercept all communications, including encrypted traffic. Multiple other nation-states maintain similar capabilities.

The volume of data captured through these programs is measured in exabytes. The cost of storage has decreased by a factor of 1,000 over the past twenty years, making long-term retention of captured traffic economically trivial. An exabyte of storage costs approximately $10 million today, a negligible expense for a nation-state intelligence budget.

Categories of Data at Risk

Not all data is equally valuable to HNDL adversaries. The value of captured data depends on its sensitivity lifespan: how long the data remains useful or damaging if exposed.

Healthcare records: Protected health information has an indefinite sensitivity lifespan. Medical diagnoses, genetic data, psychiatric records, and substance abuse treatment records are sensitive for the lifetime of the patient and often beyond. Healthcare data transmitted over TLS connections with RSA or ECDH key exchange is capturable and will be decryptable. HIPAA's security rule requires protection of PHI, but the rule was written before quantum threats were considered.

Financial records: Account numbers, transaction histories, wire transfer instructions, and investment portfolios have sensitivity lifespans ranging from years to decades. Regulatory retention requirements for financial records often extend to seven years or more, meaning that data captured today will still be within its retention period when quantum decryption becomes available.

Legal communications: Attorney-client privileged communications have an indefinite sensitivity lifespan. Merger and acquisition communications, litigation strategy discussions, and regulatory investigation responses are valuable to adversaries for as long as the underlying matters are relevant. Law firms transmitting sensitive communications over standard TLS are exposing those communications to future quantum decryption.

Government classified information: Classified data has sensitivity lifespans defined by its classification level, ranging from years to decades. Signals intelligence, human intelligence source identities, and strategic plans have some of the longest sensitivity lifespans in any data category. Government agencies have been the most aggressive in recognizing the HNDL threat, but many systems still transmit classified data using classical encryption.

Intellectual property: Trade secrets, research data, product designs, and patent applications have sensitivity lifespans that can extend for decades. A pharmaceutical company's drug development data captured today could be decrypted and used by a competitor in ten years, before the data has lost its commercial value.

Personal communications: Private messages, emails, and voice calls are sensitive for the lifetime of the participants. Compromising personal communications enables blackmail, coercion, and social engineering attacks that can be executed years after the data was captured.

The Mathematics of Inevitability

The question of when quantum computers will break current encryption is a question of engineering timelines, not mathematical possibility. Shor's algorithm, published in 1994, provides a polynomial-time algorithm for factoring integers and computing discrete logarithms. Both RSA and elliptic curve cryptography rely on the assumed hardness of these problems. Shor's algorithm reduces them to problems that quantum computers can solve efficiently.

The engineering challenge is building a quantum computer with enough error-corrected logical qubits to run Shor's algorithm against production key sizes. Current estimates suggest that breaking RSA-2048 requires approximately 4,000 logical qubits, which translates to millions of physical qubits with current error rates. IBM's roadmap targets 100,000 physical qubits by 2033. Google, Microsoft, Amazon, and several well-funded startups are pursuing similar timelines.

The consensus among cryptographers is not whether Shor's algorithm will be executed against production key sizes, but when. Estimates range from 2030 (aggressive) to 2045 (conservative). The midpoint of expert estimates has been steadily moving earlier as quantum computing progress exceeds expectations.

For HNDL, the relevant calculation is not just when quantum decryption becomes possible, but when the captured data is still within its sensitivity lifespan. Healthcare data captured in 2020 and decrypted in 2035 is still sensitive. Legal communications captured in 2023 and decrypted in 2038 are still privileged. The fifteen-year window between capture and decryption is shorter than the sensitivity lifespan of most categories of high-value data.

What You Cannot Fix Retroactively

Here is the critical point that many organizations miss in their quantum risk assessments: migrating to post-quantum cryptography protects future communications but does nothing for data that has already been captured.

If your organization transmitted sensitive data over TLS with RSA or ECDH key exchange between 2010 and today, that data has potentially been captured by HNDL adversaries. Deploying ML-KEM tomorrow protects communications from tomorrow forward. It does not retroactively protect the data that was transmitted yesterday. That data is encrypted with the algorithms that were used at the time, and those algorithms will be broken by quantum computers.

This means that the HNDL exposure for any organization is a function of two variables: how much sensitive data has been transmitted over quantum-vulnerable channels, and how long that data remains sensitive. Organizations that have transmitted large volumes of long-sensitivity-lifespan data over classical TLS have the greatest HNDL exposure. This includes virtually every healthcare system, financial institution, law firm, and government agency.

The implication is that PQC migration has a deadline that has already passed for some categories of data. For data with a 20-year sensitivity lifespan that was transmitted in 2015, the HNDL window opens in 2035 at the latest. No action taken today changes the exposure of that data. The action that would have protected it was deploying PQC in 2015, which was not feasible because the standards did not exist yet.

This is an uncomfortable reality, but it is important to face it clearly because it shapes the urgency of the response. Every day that passes without PQC migration adds another day's worth of data to the HNDL exposure. The data that will be transmitted tomorrow over classical encryption will join the corpus of data that is already captured and waiting for quantum decryption.

What You Can Protect Going Forward

While retroactive protection is impossible, prospective protection is straightforward. The NIST post-quantum standards (FIPS 203, 204, 205) provide approved algorithms for key encapsulation and digital signatures that are resistant to quantum attacks. Deploying these algorithms for all new communications and data-at-rest encryption stops the bleeding.

The H33 overlay approach enables immediate deployment without rebuilding existing infrastructure. By adding a post-quantum encryption layer on top of existing systems, organizations can protect all new communications while maintaining backward compatibility with existing integrations. The overlay uses hybrid key exchange (classical ECDH combined with ML-KEM) so that the connection is quantum-safe even while maintaining classical compatibility.

For data at rest, re-encrypting existing stored data with post-quantum algorithms provides protection against future compromise of the encryption keys. If the data was encrypted with AES-256 using a key that was exchanged via RSA, the data itself is secure (AES is quantum-resistant with sufficient key sizes), but the key exchange is vulnerable. Re-encrypting the data or re-wrapping the encryption keys using ML-KEM protects the key exchange layer.

The most critical action is identifying which systems transmit the highest-sensitivity, longest-lifespan data and prioritizing PQC deployment for those systems. A hospital transmitting patient records has a higher HNDL urgency than a marketing team sharing campaign analytics. A law firm transmitting M&A documents has a higher urgency than a help desk system transmitting support tickets. Prioritization based on data sensitivity lifespan is the most efficient use of migration resources.

The Assessment Framework

Organizations should conduct an HNDL exposure assessment that answers four questions. First, what sensitive data has been transmitted over quantum-vulnerable channels? This requires reviewing the organization's communication patterns, data flows, and encryption configurations over the relevant time period. Second, what is the sensitivity lifespan of that data? Data that is no longer sensitive if exposed (expired financial data, obsolete product designs) represents low HNDL risk. Data that remains sensitive for decades (healthcare records, legal communications) represents high risk. Third, what adversaries might have captured this data? Organizations in sectors targeted by nation-state intelligence (defense, energy, finance, technology) should assume HNDL collection. Fourth, what is the organization's risk tolerance for eventual exposure of the captured data?

This assessment produces a risk profile that guides the urgency and scope of PQC migration. Organizations with high HNDL exposure (large volumes of long-sensitivity data in targeted sectors) should treat PQC migration as an immediate priority. Organizations with lower exposure can plan a more measured migration, but they should still begin to prevent further accumulation of HNDL-vulnerable data.

The assessment also informs conversations with cyber insurers, who are increasingly asking about quantum risk exposure. An organization that has conducted an HNDL assessment and begun PQC migration demonstrates security maturity that can positively influence underwriting decisions.

The Urgency Is Now

The data that has been captured cannot be uncaptured. The encryption that was used cannot be retroactively strengthened. The only variable that remains in your control is whether you continue to add to the corpus of HNDL-vulnerable data or whether you stop the bleeding by deploying post-quantum encryption for new communications.

Every day of delay adds another day's worth of data to the adversary's collection. Every year of delay extends the window during which that data will be decryptable after quantum computers arrive. The cost of delay is not a future risk; it is a present accumulation of liability that grows with each passing day.

The standards are finalized. The technology is production-ready. The deployment path exists as an overlay that does not require rebuilding your infrastructure. The question is no longer "is this technically possible?" or "has this been standardized?" The question is: when will you stop adding to the corpus?