This started, as many things do, with an offhand comment in conversation: “Isn’t it strange that a company like REISSWOLF—handling sensitive data for decades—has no public breaches?”
Strange indeed.
Curiosity piqued, I started digging. What I found was less an open book and more a politely sealed envelope: glossy references to ISO certifications, GDPR compliance, and a “closed security chain”—but no independent breach logs, no third-party audit results, and no visible incidents across over forty years of operations.
Now, either REISSWOLF is the Fort Knox of document management, or they’ve perfected the fine art of telling us just enough without saying very much at all. This article explores that tension—the difference between looking secure and being transparent—and what it can mean for those entrusting them with data.
The suspiciously spotless record
REISSWOLF, a long-standing name in data destruction and archiving, proudly showcases its ISO 27001 certification and GDPR compliance as badges of honour. On paper, it’s the Fort Knox of information security. No breaches, no drama, just decades of flawless service. Or so we’re told.
But here’s the rub: REISSWOLF has been operating since the 1980s, across multiple European countries, handling the sort of data that keeps lawyers, regulators, and PR departments up at night. And yet, not a single breach—public or otherwise—has ever made its way into the daylight.
In today’s threat landscape, this is about as statistically likely as winning the lottery while being struck by lightning and bitten by a shark—all at once.
Context: Even the best get breached
Back in 2015, a PwC survey reported a 66% year-on-year increase in global security incidents. Even organisations with ISO 27001 certification weren’t immune—although they were arguably better prepared to manage the aftermath.
Data destruction and archiving firms, by their very nature, attract attention from both cybercriminals and opportunistic insiders. The treasure trove of confidential documents, medical records, corporate secrets and legal files is simply too good to resist.
So what explains REISSWOLF’s spotless record?
Perhaps they genuinely operate an airtight security model. Their “closed security chain” and frequent internal audits certainly sound impressive. Alternatively, and somewhat more plausibly, they may have benefitted from the old European tradition of saying nothing and carrying on.
Before GDPR came into force in 2018, breach disclosure laws in many European countries were patchy at best. It was perfectly legal—and culturally acceptable—for a company to sweep a small-to-medium-sized catastrophe under the rug, so long as the rug was large enough and the lawyers kept quiet.
ISO 27001: Excellent framework, not a forcefield
Let’s not downplay ISO 27001. It’s a rigorous and respected standard, and getting certified isn’t a matter of ticking a few boxes. It means a company has a functioning information security management system and has passed an audit. However, it’s not a guarantee of invulnerability.
ISO 27001 comes with 114 controls under Annex A—but not all of them are mandatory. Implementation is selective, and certification scope is often limited to specific business units or data centres. In a franchise-heavy model like REISSWOLF’s (they’ve got 68+ partners across Europe), such scope limitations are even more critical.
The potential for inconsistent security practices between franchises is considerable. And unless REISSWOLF centrally audits each of them to the same standard—and publishes the results—clients are left to assume, hope, or pray.
GDPR: Not quite a panopticon
With GDPR, we finally got breach notification rules with teeth. If a data breach is likely to impact individuals’ rights or freedoms, it must be reported to the relevant supervisory authority within 72 hours.
But here’s the catch: public disclosure isn’t always required. If a company can plausibly argue that a breach posed “no significant risk to individuals,” they’re under no obligation to tell anyone beyond the regulator.
Which means the following scenarios are entirely possible:
- An employee emailed a sensitive file to the wrong client. HR tutted. No one died. No one was told.
- A franchise partner was compromised via phishing. The data was technically under their control, not REISSWOLF’s. A footnote in a risk register somewhere is the only evidence it happened.
This isn’t deception—it’s compliance. But it’s also not transparency.
Audit me once, shame on you
REISSWOLF cites DQS GmbH as its auditing body, which is perfectly reputable. However, unlike some of its competitors, there’s no evidence of additional third-party scrutiny.
No published penetration test results. No SOC 2 reports. No independent verification of its “closed chain” process. We’re asked to trust that everything is secure—because they say so.
The company also highlights its use of Blancco software for data erasure, which is NATO-approved. Lovely. But we hear nothing about the hardware destruction side. Are the drives shredded beyond forensic recovery? Are the shredders calibrated and certified? Or is someone just whacking them with a hammer and calling it a day?
And what about before GDPR?
Let’s not forget: REISSWOLF was operating long before cloud storage, ransomware gangs, and GDPR became household terms. In the pre-digital era, their security practices were undoubtedly focused on locks, keys, and metal bins.
Back then, breaches were both harder to detect and easier to ignore. If a box of sensitive files went missing in 1996, it might have ended up in a skip or a skip-tracer’s hands. But unless it made headlines, no one was likely to notice.
Today, with digital systems, centralised archives, and internet-facing services, the risks have multiplied. Yet REISSWOLF’s public incident history remains as empty as a PR intern’s inbox during a bank holiday.
Trust, but verify (or at least ask awkward questions)
REISSWOLF’s security claims may be genuine. But in the absence of independent evidence, they remain just that—claims.
If you’re a client, or considering becoming one, you’d be wise to:
- Ask for breach logs or incident summaries (if available under NDA).
- Request proof of third-party security audits or penetration testing.
- Dig into how franchises are vetted and monitored.
- Keep an eye on GDPR enforcement databases for anything bubbling below the surface.
Because while a company with no breach record is impressive, a company with no visible history at all might simply be playing the oldest game in European corporate culture: don’t ask, don’t tell, don’t document.
“No breaches” could mean flawless security—or it could mean they’re simply very good at destroying the evidence. After all, they are in the business of shredding things.