And if all the employees have access to this hardware token or passphrase or memorized password or timeboxed token of some kind, does that actually prevent a hack, or does it just let you bullet point "encrypted"?
The main thing encryption prevents is someone that steals a physical device getting access to the data inside. It doesn't do much about unauthorized access to live servers.
It's not defense in depth, it's defense against a different threat entirely.
You want to have encryption, but I doubt their encryption or lack thereof has anything to do with this attack. Do we even have evidence the data wasn't encrypted?.
If someone gets access to a ticketing system they shouldn't have, talking about encryption is about as useful as talking about seatbelts. Important for general safety but irrelevant to the problem at hand.
I mean, this is the problem for all companies with sensitive data (ensuring that "ex" employees no longer have access to <stuff>).
Generally it's done via accessing some 3rd party secret storage system where employees need to verify themselves to get access (eg. Vault, or AWS secrets or what have you)
> The hacker claims an outsourced worker was compromised through a $500 bribe
Also interesting:
> The hacker claims government IDs were just sitting there for months or even years... I have spoken to people familiar with Discord's Age Verification system, and they said after some period of time Discord will delete (the copies of IDs), but they should be deleting them the second they're done
But honestly just delete them ASAP, that's the issue