Why isn't everything encrypted?
Roughly 20 years ago, I went to work for a small credit card company as a programmer. The company used direct mailings to market itself, and was growing rapidly. When I was hired, I was the second IT employee. by the third year, there were almost 20 of us.
As with any normal company, people are occasionally let go, and we had a network admin that was creating more problems that he was fixing. So he got the axe.
About a month later, a competitor was suddenly contacting the people our mail was going to before the mail got there. It took a while to notice this, but it was causing a reduction in customers signing up that was clearly noticeable both from signup numbers and income from those.
The boss finally demanded that every IT employee come in over the weekend and audit each and every computer system in the company, checking for any possible way that the outside world could get in and steal data. So we spent 2 days checking hundreds of PC's, and in the process, we found that one computer, in the sales department managers office had a modem card in it that should not have been there, and that the card was connected to a standard phone line that the company had not ordered. We removed the modem card from the system.
Not surprisingly, a week later signups were back to normal and income was as well.
But we sat down and had a lengthy discussion about how to prevent anyone from ever getting more than just an ID code number from our systems even if they had full access, and while it took about 2 months to get the code updated, we finally spent a weekend encrypting every name, addess, phone number, and everything else on every customer in our databases. The encryption key was in a file that itself was encrypted, and any the IT department programming systems were isolated from the production systems by an air gap to keep the encryption keys safe. Even within the IT department, there were only 2 of us that knew the encryption key, plus the owner of the company.
With all the changes we made, even if someone were to somehow gain full access to the production system, everything was fully encrypted except for a unique ID code that we generated the second a new customer was added to the system. Everything anyone system-wide could access was decrypted only to display or process what had to be used. Anything that did not need to be decrypted wasn't.
So when I see these huge mega-corporations and the government losing data like they are, I just do not understand why they have not done what we did nearly 20 years ago.