For a long time, I considered extra encryption for email unnecessary and a bit overkill. My argument was that if spam filters and strong passwords exist, what’s the point in using a secure and encrypted email provider? I almost always viewed people who advocated this approach as paranoid.
Well, my mindset has shifted. I now view email encryption as an absolute necessity, especially following high-profile email breaches, such as the 2025 Hewlett Packard Enterprise (HPE) data breach. It was a real, high-stakes case that showed the weakness of unencrypted email and helped me see encrypted email differently.
The HPE breach
Email is still a prime target
Hewlett Packard Enterprise is one of the largest IT companies in the world, so it was not a minor story in 2024 when they revealed that suspected state-linked hackers had been in their email environment for several months. According to Bleeping Computer, the attackers were tied to a hacking group known as Midnight Blizzard (APT29) and had reportedly compromised a Microsoft 365 account in May 2023.
HPE revealed that a tiny percentage of mailboxes in cybersecurity and business operations were accessed. However, the emails from the affected accounts contained important personal identifiers, such as Social Security numbers, driver’s licenses, and payment card details.
We don’t know the exact technical attack vector for the breach, but one thing is clear: email is still a prime target. It’s more than just communications—it’s financial reports, identity documents, and internal strategy. And if attackers were successful in pulling high-level material from a global enterprise, your inbox could be an easier target.
Encryption matters
Encryption would have limited the damage
Encryption makes a difference. It’s not a silver bullet, but it would’ve changed the outcome of the breach. Companies commonly protect messages in transit and at rest. So, there’s a certain level of encryption that shields the messages from casual interception or bulk server theft. However, in-transit and at-rest encryption wouldn’t suffice if hackers gained access to accounts and read the messages directly—this was the case with HPE.
This is where end-to-end encryption would’ve played a vital role, requiring anyone who gains access to an account to use the account owner’s private keys to unscramble messages. Instead of exfiltrating months of messages, all the attackers would’ve gotten was ciphertext.
What we learn from the HPE breach is that if encryption only covers part of the chain, the gap exposed could still be wide enough for a determined attacker to make a move and steal valuable data.
Undetected breaches
Encryption can protect you when breach detection comes late
The Hewlett Packard Enterprise intrusion lasted between May and December 2023—a seven-month period. This dwell period isn’t unusual for advanced attackers. The 2020 SolarWinds hack had an estimated dwell time of over a year, and there have been cases where attackers remained unnoticed for up to four years. When the target is email, it’s more dangerous. Your mailbox holds current data, as well as archives years of history. A single breach exposes not only the present but also years of saved data and communications.
Detection is critical, and so is response. However, they can’t stand alone. The moment you detect a breach, it might be too late, because the attacker may have already copied your entire archive. Implementing stricter security systems will make future breaches harder, but it’s not protection against data already exfiltrated.
So, here’s the truth: if your email isn’t encrypted, data exposure would be the direct consequence of any detection delays.
Not corporations but individuals
There are lessons for everyday people
Corporate breaches will always make the headlines. While I’ve highlighted the HPE breach, there have been several others: the 2016 Democratic National Committee (DNC) email leak, the 2024 SogoTrade phishing scam, and the 2015 Nutmeg accidental email breach, to name a few. What most people forget is that individual inboxes also contain sensitive information, and unlike the top enterprises, most people rarely consider encryption or other forms of data hygiene.
Attackers know that your personal inboxes are valuable and easier targets because, even though they contain important data, the security is sometimes lax. A single breach gives them enough material to impersonate you or reset your account.
To stay safe, I ensure that my go-to email providers support stronger encryption. There are just too many advantages to using encrypted email. But it doesn’t stop there. I delete old documents that I don’t need, and I use multi-factor authentication across all my accounts. There are several multi-factor authentication methods you may explore. None of these steps would totally eliminate every risk. However, what they do is help ensure an intrusion doesn’t become a full-scale disaster.
Email is not broken
What email breaches have shown me is that email isn’t broken, but the way we treat email is outdated. Email encryption should be a baseline expectation that we hold our providers accountable for. If you implement stronger encryption, proactive cleanup, and layered security, you’ll increase the cost of an attack.
There will always be breaches, but what really matters is control. You want to make sure, in the event of a compromise, the amount of data the attacker controls is limited.
