Skip to content
Home » Harvest Now, Decrypt Later (HNDL): Data Hoarding and Retention, Delayed Impact of Data Breaches, and Cryptographic Mapping

Harvest Now, Decrypt Later (HNDL): Data Hoarding and Retention, Delayed Impact of Data Breaches, and Cryptographic Mapping

Lim May-Ann, Jan 2026

TL;DR
• What is the threat of harvest now, decrypt later?
• What are some practices today that leave us vulnerable to HNDL? Particularly in the Asia Pacific region?
• What can we do to defuse the situation? Advice for businesses, advice for policymakers

Between 2023-2026, we have seen the acceleration of new digital tools such as AI, as well as strong investments in the compute power that drive these innovations. From large data centres to quantum computing, calculation power is growing by leaps and bounds, challenging cybersecurity protections and standards.

One of the cyberthreats businesses face today is from Harvest Now, Decrypt Later (HDNL), where threat actors obtain large amounts of encrypted data, store it away for “Q-Day”, the moment that quantum processing power becomes sufficient to break existing-day encryption approaches.

The Era of “Harvest Now, Decrypt Later”

At its core, HNDL is a temporal shell game. Today’s encryption standards – like AES, RSA and ECC – are the bedrock of digital trust. They are mathematically “unbreakable” by any classical computer currently in existence. However, the development of a Cryptographically Relevant Quantum Computer (CRQC) is no longer a matter of “if,” but “when.”

For data with a long “shelf-life,” such as intellectual property, citizen health records, or classified state secrets, a five-to-ten-year wait for decryption is a small price for an adversary to pay for total strategic insight. If your organisation is still operating on a legacy data retention policy, you aren’t just storing information; you are curated a library for future adversaries.

Vulnerabilities Today: The APAC Perspective

Despite the looming threat, several current practices leave Asia Pacific enterprises particularly exposed. The APAC region is a global hub for manufacturing, finance, and logistics, making our data exceptionally “high-value” for long-term harvesting.

  • The “Data Hoarding” Culture: In the race to dominate the digital economy (and perhaps a culturally-informed data scarcity mentality) and also for AI training, many APAC firms have adopted a “keep everything” mentality to fuel future machine learning models. Without aggressive data minimisation, these archives could become digital liabilities against HNDL.
  • Legacy Cryptographic Debt: Many of the region’s critical infrastructure and financial systems still rely on “hard-coded” encryption (secret codes/passwords etc are written into the source code). These systems lack crypto-agility—the ability to swap out a compromised algorithm for a new one without rebuilding the entire architecture.
  • Geopolitical Sensitivity: As a focal point of global strategic competition, APAC is a primary target for state-sponsored “harvesters.” Organisations in semiconductor supply chain are likely already being harvested as part of multi-decade intelligence plays.
  • Government Regulatory Focus on the “Now”: Most regional regulations focus heavily on existing challenges and threats e.g. preventing unauthorised access, strengthening defences, improving traceability. At present, they rarely mandate the quantum-proofing of data intended for long-term storage.

Defusing the Situation: A Roadmap for 2026 and beyond

While we cannot retroactively fix data that has already been stolen, but we can stop adding to the pile. Defusing the HNDL time bomb requires a two-pronged approach from both the private and public sectors.

Guidance for Businesses:

  1. Conduct a Cryptographic Inventory: You cannot protect what you cannot see. By the end of Q1 2026, every enterprise should have a clear map of where their sensitive data lives and exactly which algorithms are protecting it.
  2. Prioritise by “Data Longevity”: Not all data needs quantum-proofing. Focus your resources on data that remains sensitive for 10+ years (e.g., genetic data, trade secrets, long-term legal contracts).
  3. Adopt Post-Quantum Cryptography (PQC): The NIST PQC standards finalised in late 2024 are now ready for implementation. Begin piloting hybrid encryption—combining classical and PQC layers—to provide a “quantum shield” for new data entries.
  4. Remove Digital Detritus and Shorten Data Retention Windows: If the data is not legally required or mission-critical, delete it completely. The most effective way to prevent future decryption is to ensure there is no data left to decrypt.

Guidance for Policymakers:

  1. Mandate Crypto-Agility: Regulators should move beyond “standard encryption” requirements and begin mandating that critical information infrastructure (CII) be built with crypto-agile architectures.
  2. Update Data Protection Standards: Governance frameworks must begin to reflect the “temporal” nature of risk. Incentivise companies to migrate to PQC-compliant storage for long-term archives through tax breaks or “Quantum-Safe” certifications.
  3. Regional Threat Intelligence: Establish APAC-wide sharing portals specifically for HNDL indicators. When one nation detects mass exfiltration of encrypted archives, the entire region must be alerted to the harvesting pattern.

In 2026, CCAPAC is noting that the definition of a “secure” company has changed. It is no longer enough to be secure in the present; you must be secure against the future. Your 2026 data retention policy should not be about how much you can save, but how much you can safely let go.