July 13, 2026

Your encrypted files are already sitting in an adversary’s warehouse

Focused detail of a modern server rack with blue LED indicators in a data center.

The breach that has already happened

Most New Zealand coverage of quantum computing treats it as a future tech curiosity. That framing is wrong, and dangerously so. The attack is underway right now. It is called harvest now, decrypt later (HNDL), and the model is brutally simple: adversaries, including state-backed actors, are already stealing encrypted data and warehousing it until quantum machines are powerful enough to unlock it.

If your business holds anything that must stay confidential for years – customer records, health data, legal files, intellectual property, identity documents – the breach window has already opened. The encryption protecting that data today is not a permanent lock. It is a timer.

As Brandon Hutcheson, Director of Quantum at HSO, put it writing for the Institute of Directors, “Quantum computing doesn’t only create new opportunities for breaches – it exposes those you’ve already had.” The stolen data “remains encrypted and unusable, but it becomes readable in the future.”

AI just moved the deadline forward

The reason this story is live now is the convergence of AI and quantum. AI is being used to help quantum computing clear the technical barriers that once gave security planners a comfortable runway. That runway is collapsing.

Google has warned that quantum computers could break some of the cryptographic systems underpinning most internet transactions as early as 2029. The original estimate for so-called Q-Day was 2035. Tellingly, Microsoft has already pulled its own internal quantum-safe transition deadline forward from 2032 to 2029. When the companies building the machines accelerate their own defences, that is the signal that matters.

Paul Quickenden, country manager at crypto firm Swyftx, framed the strategic point cleanly: “Quantum is an exponential technology. It’s not a problem until it is.” The sceptic’s line – that no fully capable quantum computer exists yet – is technically true and strategically irrelevant if the harvesting is happening now.

What is actually at risk

The systems under threat are RSA and elliptic curve cryptography (ECC), the protocols behind online banking, payment systems, encrypted communications, health records, government data transfers and digital identity. In practice that is every business with an online presence.

The scale of the leap is what unsettles security teams. Classical supercomputers would take millions of years to break an RSA-2048 or ECC-256 key; a capable quantum computer could do it in hours. Paul German, CEO of Certes, warned that “quantum computers could simply crush these well-known public key encryption standards.”

The global mood among security leaders reflects the anxiety. Gigamon’s 2026 survey of 1,000 security leaders found 87% are concerned about HNDL attacks, and Thales research found 61% now cite HNDL as their leading quantum risk. Yet 76% still believe their encrypted data is inherently secure – the exact complacency the threat depends on.

New Zealand is starting from behind

This lands on an already strained local cyber posture. The NZ Cyber Security Strategy 2026-2030, approved by Cabinet in February 2026, concedes that online threats cost New Zealanders at least $1.6 billion in 2024, that 54% of adults faced an online threat in the previous six months, and that the country ranks in Tier 3 of global cyber performance, grouped with developing nations.

The trajectory is worsening before quantum even arrives. The NCSC’s first-quarter 2026 report recorded direct financial losses of $5.6 million, a 76% jump on the previous quarter’s $3.2 million. Data lifted in incidents such as the 2025 Manage My Health breach, which exposed roughly 100,000 patients, could already be sitting in storage awaiting Q-Day.

The one question your board must ask

Hutcheson’s sharpest point is aimed squarely at directors: “The breach may be technical but the failure to prepare may ultimately be judged as a board-level failure.” He also noted that “no one is talking about it in New Zealand.” That silence is now a governance liability.

The practical response is not exotic. Run a cryptographic audit to map where sensitive data sits and how long it must stay confidential. Deane Jessep, CISO at Spectrum Consulting, said customers have “started the cryptographic inventory process” covering intellectual property, customer data, passports and licences. Then hold vendors to account, track NIST’s post-quantum standards, and check whether cyber insurance written on the assumption that encrypted data is safe actually covers an HNDL scenario.

Quickenden’s warning removes the excuse of passing the buck: “If you are a bank, a payment provider, a government agency or a health platform, you cannot just assume someone else in the technology chain will solve it for you.” The question boards should put to their IT teams and vendors is simple. Do you have a post-quantum transition plan, and when does it complete? If the answer is “we’re watching the space,” that is not a plan. It is exposure.

Sources

Subscribe for weekly news

Subscribe For Weekly News

* indicates required