Email wasn’t initially built for privacy. Its initial protocols simply transfer messages but do not provide confidentiality or authentication by default. Encryption and signing standards were introduced later to fill this gap.
Email encryption’s main job is to keep content confidential. Most breaches that matter for email happen when messages are intercepted in transit or exposed at rest on a compromised server or endpoint.
Email encryption addresses the gap by scrambling message contents so only the intended recipient can read them. This prevents eavesdroppers and prevents exposure of sensitive data, safeguarding privacy. Digital signing complements this by confirming the sender’s identity and detecting tampering, which helps provide protection against spoofing and business email compromise (BEC) attempts.
This article focuses on where confidentiality breaks down (in transit, on servers, and on client devices) and the specific, workable controls that restore it—so teams can protect PHI, PII, legal strategy, and IP without breaking everyday email workflows.
Email wasn’t born encrypted. When messages cross the internet, they rely on SMTP with STARTTLS, which is opportunistic by default. It’s great when it works, but it’s also still vulnerable to downgrade and man-in-the-middle tricks if you haven’t locked it down. Most Gmail traffic is encrypted in transit, but attackers still exploit the remaining gaps.
Transport encryption only secures messages in motion. Once an email server is breached, years of stored mail can be exposed in one sweep. In 2022, Security Week reported on how attackers exploited Zimbra flaws to break into more than 1,000 servers, silently accessing entire inboxes.
Without end-to-end encryption (E2EE), mail stored on servers or local clients often sits in readable form. That means a breach of either can expose entire archives. With E2EE, server-side loot is just ciphertext. Pair it with strong endpoint hardening to make sure there are no security gaps.
Plaintext emails have been more of a security concern in recent years. Here are six real-world instances where email was used as an attack vector and malicious actors were able to steal data and shut down their systems.

China-linked actors (Storm-0558) used a stolen Microsoft signing key to forge tokens and read through the cloud mail of roughly 25 organizations, including U.S. government accounts.
How encryption could have prevented it: With E2EE (S/MIME/PGP), token access would have exposed only ciphertext. Message bodies and attachments would have remained unreadable without users’ private keys.
As reported by SecurityWeek, attackers exploited Zimbra flaws and hacked over 1,000 email servers, often planting web shells and rifling through stored mail. With E2EE, stolen mailboxes yield ciphertext instead of readable messages and protect the content of emails.
A destructive breach by the Guardians of Peace stole and leaked executive emails and confidential files at scale, threatening company executives and cinemas showing Sony movies. If sensitive threads had been end-to-end encrypted, leaks would have exposed metadata, not message bodies.
Investigations documented contracted email intrusions against critics and officials linked to the 2022 World Cup, leaking private conversations.
How encryption could have prevented it: Client-side encryption would have turned stolen inboxes into useless ciphertext unless attackers also obtained each target’s private key.
Ashley Madison, an infidelity dating site, was hacked in the mid-2010s. Extremely sensitive customer data like emails, sexual fantasies, credit card details, and purchases were published, proving the real-world stakes of confidentiality failures. Encrypting communications and databases (and limiting what email stores in clear) reduces catastrophic exposure.
The Equifax breach exposed highly sensitive PII for 147 million people, and the fallout included a major FTC settlement, which was announced in November 2024. Email often carries identifiers and links into systems; encrypting those communications narrows what attackers can reuse.

| Industry | Why It’s Critical |
|---|---|
| Healthcare | HIPAA’s Security Rule requires transmission security for ePHI (§164.312(e)(1)), and HHS’ breach rule gives a safe harbor when PHI is encrypted to NIST-aligned standards. Email routinely carries PHI (results, referrals, billing), so unencrypted messages can trigger breach notification and enforcement. |
| Finance and Banking | Financial transactions, account details, and personal IDs must comply with GDPR/CCPA and industry regulations. |
| Government and Defense | Breaches can compromise operations and international relations. |
| Legal and Professional Services | Attorney-client privilege and sensitive case information must remain secret. Exposure risks client trust and bar sanctions. |
| Research and Universities | Universities handle valuable IP and large volumes of student information, so credential phishing regularly compromises campus email accounts. |
| High Tech and SaaS | High-tech teams move trade secrets over email (like source-code review links, build credentials, product roadmaps), making mailbox compromises a fast lane to IP theft and supply-chain risk. |

The Health Insurance Portability and Accountability Act requires “transmission security” under §164.312(e) to protect electronic protected health information (e-PHI). This means healthcare providers, insurers, and their business associates must protect e-PHI in transit, and encryption is the safest route to compliance. Encrypted PHI also benefits from the federal breach-notification safe harbor when keys are not compromised.
The General Data Protection Regulation sets one of the clearest global expectations. Encryption is directly cited as an example of an appropriate security measure, with penalties up to €20 million or 4% of global annual turnover (whichever is higher). For organizations handling EU citizen data (and this applies whether or not they are based in Europe), failure to encrypt sensitive communications can be viewed as a violation of GDPR.
The California Consumer Privacy Act, strengthened by the California Privacy Rights Act, does not specifically require encryption. However, it makes a powerful case for it by defining steep fines and statutory damages when personal information is disclosed without authorization.
Critically, encrypted data is exempt from breach notification obligations if the encryption keys remain secure. That means implementing strong encryption can effectively serve as a legal shield, limiting liability after an incident.
Beyond the U.S. and EU, many national and regional regulators now advise or require email encryption. Similar trends are emerging worldwide, with industry regulators and private-sector guidelines converging on encryption as a baseline expectation for communications.
| Technology | Pros | Cons | Examples Deployment |
|---|---|---|---|
| S/MIME | Built into virtually every email client like Outlook, Apple Mail, iOS, and Thunderbird Integrates cleanly with enterprise PKI/Directory | Certificate management overhead; often requires a corporate PKI | Large enterprises issue S/MIME certs to staff for automated encryption and signing |
| PGP | Free, open source Fine-grained trust control | User key management can be tricky, and it’s less integrated in most clients (requires additional software for more security) | NGOs and privacy-focused firms distribute PGP keys via public keyservers |
| TLS only | Encrypts during transit between mail servers Now ubiquitous via Let’s Encrypt | Transit only, does not protect mail at rest, so email becomes vulnerable if the server or client is compromised (also includes MitM attacks) | With Forced TLS, you can tell mail partners, “Do not deliver unless TLS is supported and used to protect transit” |
In March 2023, The Register reported on how NHS Highland’s HIV service email was breached, exposing recipients by using the To/CC field instead of BCC. This incident was a stark reminder that one misaddressed email can expose sensitive health data.
What an effective fix looks like in practice:
Encryption shifts the balance back to the sender and recipient. It keeps content confidential, preserves integrity, and meets regulators' expectations that sensitive data won’t travel like a postcard.
From healthcare and finance to government and legal, the pattern is the same — plaintext email creates outsized risk, while transport controls plus end-to-end encryption (S/MIME/PGP) turn stolen inboxes into unreadable ciphertext.
Make encryption a first-class part of your email strategy. For example, savignano software solutions is an experienced company, which combines expert consulting with proven tools like S/Notify Email Encryption or their new Uptrust Encryption Gateway to help organizations secure communications end-to-end — keeping data private, compliant, and trusted.
Feel free to share, quote, or republish this article for both non-commercial and commercial purposes. We kindly ask that you include a link back to the original article whenever possible.