What Do French Submarines, Crypto Wallets, and Health Records All Have in Common?

On the surface, three recent cybersecurity incidents could not appear more different.

‍

First, there was the alleged breach of Naval Group, the French defense contractor. Attackers claimed to have exfiltrated a terabyte of data, including source codes for submarine combat management systems. This could be a national security issue, not just for France, but for its customers as well, notably Brazil and India. 

‍

Second, there was the Coinbase breach. Here, the vector was not some arcane exploit but old-fashioned bribery: criminals paid customer support agents to use their internal tools to access the data of nearly 70,000 users. This was a failure of people and processes.

‍

Third, there was the breach at Episource, an Optum subsidiary, which exposed the health records of over 5.4 million people. This was the sort of industrial-scale data theft that has become depressingly common in recent years.

‍

A state secret, a financial identity, a medical record. The motives and methods seem worlds apart, yet, I believe they are all manifestations of the same core truth: every company is now a data company, and, as such, is a target for cybercriminals. 

In other words, the security measures designed to protect the world around your data aren’t enough; we must focus on protecting the data itself – even if (or when) it leaves the confines of our physical or digital walls.

But before all that, the story begins with the one thing all these events produced: the corporate statement.

In the aftermath of an event like the one at Naval Group, we see a familiar response. The company launches an investigation and, shortly after, reports its initial findings. In this case, Naval Group stated: “...no intrusion into our IT environments.”

This statement is meant to be reassuring. It implies the walls held – the firewalls, intrusion detection systems, and other perimeter defenses were intact.

The paradox is that this statement is likely true – there may have been no breach of the perimeter systems – but the data was apparently stolen and is now on sale on the dark web. It’s like saying the castle is secure, but the crown jewels are gone.

Yet the conversation remains focused on fortifying the castle, not on protecting the jewels.

This isn’t an anomaly unique to Naval Group – it’s the new normal. The core assumption of enterprise security for over thirty years – that the primary battle is at the perimeter – is collapsing, but not everyone is adapting quickly enough.

To understand why, we need to look at the eras of cybersecurity and why past measures no longer suffice.

‍

The Three Eras of Cybersecurity 

‍

The Perimeter Era

‍

The age of the firewall and VPN. The world was neatly divided into “inside” and “outside.” The goal was to build a digital fortress mirroring your physical corporate HQ, with success measured by keeping attackers out.

‍

The Endpoint Era

‍

The rise of laptops and mobile devices made the perimeter porous. The focus shifted to fortifying assets inside the walls. Endpoint Detection and Response (EDR) became key, under the assumption you had to fight the battle on every device. Data movement was still comparatively limited because it relied largely on physical devices.

‍

The Data Era

‍

The current era – though in play for over a decade – is still poorly understood. Data now flows faster and in greater volumes thanks to cloud adoption, SaaS, and increasingly, GenAI. It moves across borders and jurisdictions, complicating compliance. Often, bad actors (malicious or otherwise) gain access through legitimate, authorized credentials – meaning they’re already “inside” and not perceived as a threat.

In summary: we’ve gone from building the walls (Perimeter Era), to guarding the walls (Endpoint Era), to protecting the assets within the walls (Data Era).

The attacks on Naval Group, Coinbase, and Episource show we are firmly in the Data Era – yet much of the thinking, spending, and corporate response remains stuck in earlier eras.

‍

The Commoditization of Attack

‍

One shift with the ‘Data Era’ is that the cost to mount around-the-clock attacks on even the biggest and well-fortified companies is shockingly cheap. 

Consider Coinbase. The attackers didn’t need a zero-day exploit; they simply went to the human marketplace and bought access.

This is “Insider-as-a-Service.” The insider threat is no longer just a disgruntled employee – it’s a service you can procure.

Meanwhile, infostealer malware campaigns targeting defense contractors have created a liquid market for credentials. For just a few dollars, an attacker can buy a username and password that opens the front door.

Even when not buying credentials, attackers leverage AI and automation to constantly scan for vulnerabilities. Even with a 99.99% failure rate, they only need one success, and that one success can derail a security leader’s career.

Defenders face a structural disadvantage: it costs far more to defend than to attack.

‍

Value in the Wrong Place

‍

An attacker who reaches the vault only profits if the contents are valuable in their raw, usable form.

Naval Group’s files could be analyzed. Coinbase’s user data could enable fraud. Episource’s health records could be used for extortion.

The failure wasn’t in the wall – it was in the asset.

We’ve poured resources into securing the container (network, server, database), but if the content is authentic and valuable upon theft, those defenses are moot.

A data-centric security model inverts this logic. It assumes the container will fail and focuses on de-risking the content – ensuring that data at rest is tokenized or encrypted, rendering it worthless outside a controlled environment. It’s the digital equivalent of a dye pack in a stolen banknote.

In an era where access is commoditized, the only sustainable strategy is to ensure stolen data has no value.

‍

The Metric That Matters

‍

For years, CISOs were judged on whether they could prevent a breach – keep attackers out.

That’s no longer tenable. Now, there’s an additional question that has to be answered: “What did those attackers steal?” A breach is bad, but what’s worse is when the stolen data evolves into a news headline or a goldmine for rivals. It’s tough for a security leader to recover from that. 

However, if the data itself is in an inherently and perpetually unusable state, even after being stolen or exfiltrated, then security leaders can still bounce back. They can demonstrate that the breach did not lead to the loss of sensitive information (which may have been encrypted or, even better, tokenized) and, instead, treat the breach as an incident – not a catastrophe.

‍

For More Data Security Insights, See:

‍

• What is Data De-Identification?
• The Leading Data Breach Risks for Enterprises
• Data Tokenization vs Data Encryption

‍