HNDL explained: who, what, and why it matters now

The basics

What is harvest-now, decrypt-later?

HNDL is a two-stage attack. In stage one, an adversary intercepts and stores encrypted data — emails, API calls, VPN traffic, financial transactions — as it travels across the internet. They can't read it yet. They don't need to. They're not trying to break the encryption today.

In stage two — which may be a decade away — a sufficiently powerful quantum computer breaks the encryption that protected that stored data. Everything collected in stage one becomes readable in stage two.

The threat isn't speculative. The collection is happening now. The decryption is what's waiting.

The timeline

Why the threat is active before quantum computers exist

Nation-states operate on 10-to-20-year intelligence cycles. A piece of data stolen today — a merger negotiation, a long-term lending agreement, a regulatory filing — may still be strategically useful in 2035. Collecting now costs almost nothing. Waiting for the hardware costs nothing either.

The NCSC and NSA have both flagged HNDL as an active threat, not a theoretical one. The infrastructure required for mass collection at scale — tapping internet exchange points, intercepting cloud traffic — is well within the capability of several state actors.

The encryption protecting your data today uses RSA and elliptic curve cryptography. Both are broken by a quantum computer running Shor's algorithm. Neither was designed to withstand a threat that didn't exist when they were standardised.

Risk exposure

Not all data is equally exposed

HNDL risk scales with one variable: how long your data needs to stay confidential.

A consumer card transaction decrypted in 2035 is largely useless — the card has been canceled, the account closed, the data expired. A KYC file containing passport details, proof of address, and national insurance numbers decrypted in 2035 is still a complete identity package. A long-term mortgage agreement or regulated correspondence file decrypted a decade from now may carry serious legal, regulatory, and reputational consequences.

For UK financial services, the FCA's data retention requirements mean most firms are holding data with exactly the shelf life that makes HNDL dangerous. If your data needs to stay confidential for longer than a quantum computer might take to arrive, it's exposed now.

Technical context

Which encryption is at risk

HNDL specifically targets asymmetric encryption — the kind used to exchange keys in transit. RSA and elliptic curve cryptography (ECC) underpin HTTPS, TLS, VPNs, and most encrypted email. These are the protocols an adversary intercepts.

Symmetric encryption — AES-256, used for data at rest — is largely quantum-safe at current key sizes. The HNDL risk is concentrated in the key exchange layer, not the bulk encryption. This matters for prioritisation: the most urgent fix is migrating key exchange mechanisms, not re-encrypting stored databases.

What to do

Where to start

The NCSC's PQC migration guidance sets out five milestone gates for UK organisations. The first is discovery: a full cryptographic asset inventory — every algorithm, every certificate, every key in use across your estate. You can't prioritise HNDL exposure without knowing where your asymmetric cryptography is.

The NCSC expects UK financial services organisations to complete discovery and risk prioritisation by 2028. For firms holding long-lived regulated data, starting now is not early — it's already late.