Data Security happens in different ways in different states.

At rest
o    Database – system security, I’d line into large companies who seem to be unhacked: Google Cloud Platform, Amazon Warehouse Services or Microsoft’s Azure. Companies that use these do Pen(etration) tests to ensure there are no internal gaps. I ensured that no one had access to data unless they needed it, so was participated by region, level and in most case access to PI was not allowed, and users were deleted when they left the company.

In motion
o    Data packet – Ideally transferred direct from system to system using middleware like MuleSoft. If data needs to go another way then best to ensure it never sits on a laptop in anyway, as that creates a copy which may not be deleted. The minimum is for the packet to be zipped and encrypted, transferred by email (small) or Dropbox equivalent (large) with the password supplied in a different system, e.g. WhatsApp.
o    PI Data (email, phone number) itself only provided as a hashed. Both ends will offer their hashed PI Matchkey, and where there is a match, that would be noted and the 2nd system will have that flagged and the matching data deleted – so only exists for a short period of time which minimised fall out hugely
o    Website – only put data where the WWW application header address is HTTPS (the S stands for secure)

Common hacks from easy to hardest:
o    Asking to borrow a phone, to have it unlocked and run away with it whilst your mate distracts them – so don’t put your credit card physically in the phone protector and have 2stage (code or fingerprint) to open key apps and any password safes 
o    Scam spam: use botnet to send out lots of emails and texts asking them to press and link or put in a payment for RM delivery, etc
o    Spoof their email address and try simple passwords, or those collated in the dark web from hacks
o    Target the human with a trojan – a file or link that is clicked on, or an infected thumb drive is inserted. Most hacks are caused by this. The answer is never allow physical member to connect to your system, load it via email or the web as that is checked before it gets to you. And never click on anything without thinking– assume everything is a scam!
o    Find an unpatched security holes or not updated – used a lot to get into 3rd party bridges that link into  other more secure systems

Check your email address
o    https://haveibeenpwned.com/ My email and password and more have been leaked by: Paddypower (in 2010, discovered 2014)  LinkedIn (in 2012, discovered in 2016), Datacamp (2019), 500PX (2018), Facebook (scraped by Cambridge Analytical and others up to 2019), Twitter (2023), Chess (2023), 
o    Google offers a Checkup in Password Manager and worth looking at a few times a year. I assume Apple will offer similar