That story is about connection. About patterns that stretch across time, borders, and industries. And it is giving rise to one of the most significant shifts in digital-risk management since the dawn of cyber insurance: cross-breach intelligence, the ability to link information across multiple data breaches to expose the bigger picture of fraud and financial crime.

From Single Incidents to Systemic Patterns

For more than a decade, most organizations treated data breaches as individual fires to be extinguished. Once an incident was contained and reported, the focus shifted to remediation, customer notifications, and brand recovery. Each breach was logged, investigated, and filed away.

But attackers never saw it that way. The same email addresses, passwords, and passport scans appear again and again across different leaks, reused and repurposed in new schemes. A compromised payroll database from 2023 resurfaces two years later as part of a cryptocurrency scam. A driver’s-license image stolen from one country’s registry reappears as identity documentation for money-laundering rings elsewhere.

The old model of breach response, one event, one investigation, can no longer keep pace with that reality. The real value lies in connecting the dots.

Seeing the Network, Not the Node

Cross-breach intelligence changes the perspective. Instead of looking at a single incident, analysts look across hundreds or thousands, mapping relationships that reveal how stolen data travels and mutates.

By correlating identifiers such as email addresses, hashed IBANs, or passport numbers, it becomes possible to trace the digital footprints of bad actors over years. Sophisticated graph analytics can cluster related data points, showing where one identity overlaps with another, where credentials have been recycled, or where a single threat actor’s infrastructure links multiple campaigns.

These connections often expose previously invisible patterns. The email used in a low-level phishing attempt might also appear in the registration data for a fake trading platform. The same phone number might link to dozens of synthetic identities used to open accounts across neobanks. What once seemed like noise becomes signal.

Why This Matters to Financial Institutions

For compliance officers and risk managers, the implications are profound. Banks, payment providers, and law firms operate under ever-tightening regulations that demand proactive monitoring for fraud and money laundering. Yet most rely on static data, watchlists, transaction patterns, customer-submitted information, rather than dynamic intelligence drawn from the real-world breach ecosystem.

Cross-breach analytics turns leaked data into a defensive asset. It allows a compliance team to know, in advance, when a prospective customer’s credentials, ID number, or contact details have been compromised elsewhere. It can identify clusters of clients that share exposure to the same breach, revealing possible mule networks or insider risk. And it can feed directly into KYC and AML workflows, raising risk scores for entities linked to compromised data.

The benefits are clear: faster detection, better prioritisation, and fewer false positives.

From Reactive to Predictive

Traditional anti-fraud measures are retrospective: they flag suspicious transactions after they occur. Cross-breach intelligence adds a forward-looking dimension. It helps institutions anticipate where fraud is likely to emerge based on patterns already circulating in the dark-web economy.

Imagine an onboarding system that silently checks whether a new applicant’s email or phone number has appeared in known breach datasets. If the match rate is high, the system can escalate verification before the account is ever opened. Or a transaction-monitoring platform that integrates breach-risk scoring, weighting transactions differently depending on the historical exposure of the parties involved.

This is not science fiction. Financial institutions are already integrating these capabilities into production systems, often through APIs provided by specialised analytics firms.

The Role of Breach Analytics

Platforms such as Breach Analytics sit at the intersection of cybersecurity and compliance. By continuously harvesting, normalising, and analysing data from confirmed breaches, they can provide institutions with real-time insights into where exposure overlaps.

The technology works by matching hashed or anonymised identifiers submitted by clients against massive repositories of compromised data. No personal information is exchanged, yet the system can confirm whether a given identity element appears in one or more known breaches. The result is a privacy-preserving check that transforms opaque dark-web data into structured, actionable intelligence.

For law firms and investigators, this capability extends beyond compliance. It supports litigation, asset recovery, and forensic analysis, revealing how digital identities are repurposed across criminal ecosystems.

Ethics, Privacy, and Trust

Using breach data for good requires careful boundaries. Analysts cannot simply re-publish or trade in compromised records; they must handle information responsibly, ensuring that detection happens through hashing, encryption, or pseudonymisation.

Regulators such as the European Data Protection Board acknowledge this balance. Processing breach-related data for the purpose of fraud prevention or AML compliance can fall under legitimate-interest provisions, provided safeguards are in place. Transparency is essential: customers should know that exposure checks form part of due-diligence processes, and the data must never be reused for marketing or profiling.

Handled correctly, cross-breach intelligence strengthens privacy rather than undermines it. It helps organisations protect individuals whose information is already circulating beyond their control.

Building a Resilient Ecosystem

The real power of cross-breach intelligence emerges when it is shared responsibly. Financial institutions, regulators, and law-enforcement agencies increasingly recognise that no single organisation can see the full picture alone.

Collaborative models are emerging, using federated-learning techniques that allow participants to share insights about breach patterns without exposing their underlying data. These systems can detect common threat infrastructures, repeat offenders, and coordinated attack campaigns that span multiple jurisdictions.

The future of financial-crime prevention will depend on this collective visibility, a network of intelligence rather than isolated silos of defence.

Beyond Compliance

At first glance, cross-breach analytics might appear to be another compliance exercise, a box to tick for regulators. In reality, it represents a strategic shift in how institutions understand risk. By viewing breaches as interconnected events rather than discrete failures, organisations can move from crisis management to foresight.

This approach also enhances resilience. Knowing which suppliers, partners, or customer segments have high exposure helps allocate resources more intelligently. It allows boards to ask sharper questions about vendor risk, digital identity policies, and operational continuity.

And perhaps most importantly, it restores confidence. In an environment where consumers are weary of breach headlines, demonstrating that your institution actively monitors and mitigates exposure signals responsibility and maturity.

Looking Ahead

Over the next few years, cross-breach intelligence will mature from a specialist tool to a mainstream component of financial-crime programs. Standardised breach-risk scores will likely become part of regulatory reporting. APIs will connect directly to transaction-monitoring systems, enabling near-real-time updates as new leaks surface.

At the same time, new ethical frameworks will emerge to govern how such data is used, shared, and retained. The industry’s challenge will be to maintain precision without drifting into surveillance. The opportunity will be to transform an overwhelming flood of breach information into clarity, a map of exposure that helps protect individuals and institutions alike.

Conclusion

Every breach tells a story. Alone, each is a tragedy for the people affected and a headache for the company involved. But when viewed together, they form a global narrative of risk, one that reveals how data moves, how criminals adapt, and how organisations must respond.

Cross-breach intelligence turns those fragmented stories into understanding. It is not just a new technology, but a new mindset: seeing the system, not the symptom. For financial institutions and regulators navigating an increasingly complex digital world, that shift could be the difference between chasing the next crisis and preventing it altogether.

Over the past year, as generative AI systems have seeped into every layer of enterprise decision-making, a quiet anxiety has taken hold in boardrooms: what happens when the models that promise competitive advantage are trained on information that was never meant to see daylight?

In 2025, the question is no longer theoretical. Breach data, once the detritus of cybercrime forums has begun to collide head-on with the industrial scale of AI. Somewhere between innovation and liability lies a new frontier of corporate risk.

When the Leak Becomes the Dataset

AI developers need oceans of information to train their systems. Text, images, voice samples, transaction logs, anything that can teach a model to predict or generate. But amid that data deluge, some of what flows in is contaminated.

Bits of breached material, old credential dumps, scraped medical texts, or “public” datasets containing personal identifiers, have a way of finding themselves in places they shouldn’t be. A developer grabs an open dataset on GitHub, unaware that it contains data lifted from a long-forgotten corporate breach. A vendor offers “anonymized” user records for training that, when cross-referenced, clearly map back to living individuals.

No one deliberately sets out to teach their model on stolen information, yet the modern data supply chain is so vast and opaque that unintentional contamination has become almost inevitable. And once a large model has absorbed that information, it’s virtually impossible to extract it again.

The risk isn’t just reputational, it’s regulatory.

Regulation Catches Up

Across jurisdictions, the legal frameworks that once applied only to raw personal data are being extended to cover AI systems themselves. Europe’s AI Act, finalised in 2025, requires organizations to document exactly what data was used in model training and to prove that privacy and consent obligations were met. In the United States, the Federal Trade Commission has begun enforcing penalties against “data laundering”, the repackaging of scraped or leaked data into machine-learning datasets without consent.

And the UK’s Information Commissioner’s Office has made the position clear: there is no exemption for AI. Using breached or leaked personal information for training remains a violation of data-protection law, even if the dataset is “publicly available.”

The result is that data provenance, once a technical curiosity, has become a compliance obligation. Boards are beginning to ask their teams a question that would have sounded strange a few years ago: can we prove that our models were trained on clean data?

From Ownership to Provenance

In the old world of data governance, responsibility was about ownership. Who controlled a dataset? Who had access? Today, it’s about provenance, the full lineage of every record, from its origin to every transformation along the way.

Leading organizations are beginning to trace their training data like supply chains. They’re tagging files with licensing metadata, embedding cryptographic fingerprints, and comparing hash values against known breach corpora to ensure nothing illicit slips through. The tools are still maturing, but the principle is clear: ignorance is no defence.

In this context, breach-intelligence platforms like Breach Analytics play an unexpected new role. Originally designed to map exposed information across the dark web for security and compliance teams, these systems are now being integrated into AI pipelines as early-warning filters — a way to detect whether a dataset contains material linked to known breaches before it contaminates a model.

The same analytics that help law firms trace leaked PII can now safeguard AI developers from regulatory exposure.

The Legal and Ethical Tangle

The collision of AI and breach data has created a dense grey zone where technical possibility outruns legal clarity. Developers argue that training on broad, diverse data produces fairer, more capable models. Regulators counter that privacy and consent cannot be retroactively repaired.

What happens if an LLM reproduces a paragraph from a leaked document verbatim? What if a healthcare AI generates text revealing a patient’s name that was buried somewhere in its training data? Courts are only beginning to consider such cases, but one precedent is already forming: accountability will fall on those who deploy and profit from the models, not just those who built them.

Ethically, the debate mirrors the early internet, between openness and control. Except this time, the stakes are higher because AI systems can internalize and repeat the world’s private information at scale.

When the Model Knows Too Much

Imagine a risk-scoring model built by a financial institution that unknowingly uses transaction data sourced from an analytics vendor whose dataset was partially compiled from leaked card numbers. The model’s performance might look impressive, but it has been trained on unlawfully obtained information. Under the AI Act and GDPR, the company could be held liable even if it never knew.

Or picture a health-tech startup that scraped “public medical text” to train a language model, only to discover months later that part of its corpus came from a ransomware leak of hospital notes. The company might face not only regulatory penalties but a collapse in patient trust.

These are no longer hypothetical scenarios. They are the logical endpoint of the data ecosystem we have built, one where the boundaries between open data, personal data, and breach data blur into each other.

The Compliance Turn

In response, organizations are starting to treat AI data hygiene as seriously as financial auditing. Model registries document every dataset and transformation. Vendors are asked to sign provenance declarations alongside their API contracts. Some firms are even commissioning “model audits”, where independent specialists probe AI systems for signs of data leakage, a process likely to become mandatory under the EU’s new framework.

It’s a cultural shift as much as a technical one. Data scientists, once rewarded purely for innovation, are now being judged on governance. Executives who once saw compliance as a brake on progress are realizing it’s a precondition for trust.

The parallel with food safety is striking: consumers no longer accept “trust us” labels on products, they want to know the source, the handling, and the quality control. Data is heading in the same direction.

From Liability to Leadership

For companies willing to engage seriously, the shift offers an opportunity. The ability to prove that AI systems are trained only on legitimate, permissioned, and breach-free data will become a market differentiator.

Investors are already rewarding firms that can demonstrate robust AI governance. Insurers are starting to offer premium discounts for verifiable data lineage. Even regulators are hinting that transparency could become a mitigating factor in enforcement actions.

In this environment, clean data becomes a form of capital, a trust asset in its own right. And the organizations that can verify it will gain an enduring advantage.

A New Form of Due Diligence

The most advanced teams are building real-time provenance engines that cross-reference their data against breach-intelligence feeds. They hash every record before ingestion, compare it with known exposures, and quarantine anything suspicious. These processes are invisible to end users but transformative behind the scenes.

Where data scientists once worried about accuracy and bias, they now add another variable to the equation: legality. The conversation in AI labs increasingly includes lawyers, compliance officers, and ethicists. The walls between disciplines are finally beginning to fall, not because of regulation alone, but because the reputational risk of ignoring them has become existential.

The Coming Era of Accountability

Over the next few years, the idea of an AI provenance audit will become as normal as a financial audit. Boards will demand assurance that their algorithms are trained ethically. Clients will ask vendors for evidence that models don’t rely on contaminated datasets. And regulators will expect proof, not promises.

Standards bodies are already drafting templates for what these disclosures should look like. Think of them as ISO-style certificates for AI datasets, with cryptographic attestations and lineage metadata attached to every training run.

The technology industry, long celebrated for its appetite for disruption, is now being asked to build systems of memory, a historical record of where each piece of information came from and how it was used.

Conclusion

For years, companies measured data risk in terabytes lost. Now they measure it in terabytes learned. The same breaches that once caused embarrassment are resurfacing as hidden liabilities in AI systems built without oversight.

The future of trust will depend on more than strong models; it will depend on transparent data. Organizations that can show their AI has been trained responsibly, and that no breached or unlawfully obtained information lurks beneath the surface, will stand apart in the coming era of scrutiny.

Breach Analytics sits precisely at that crossroads. By identifying compromised information at scale and verifying data integrity, it enables companies to protect not just their networks but their algorithms.

In the end, data liability isn’t only about compliance. It’s about the credibility of intelligence itself, the confidence that what we teach our machines reflects the best of our knowledge, not the worst of our breaches.

In cybersecurity, speed is survival. The average “dwell time” of attackers — the period between initial compromise and detection — remains measured in weeks, not minutes, for many organizations. According to Mandiant, the global median dwell time in 2024 was 16 days. In that window, attackers can move laterally, escalate privileges, exfiltrate sensitive data, and cover their tracks.

Traditional batch analytics, built for compliance and post-hoc reporting, cannot keep pace. Continuous intelligence, powered by real-time streaming analytics, offers a different paradigm: detect, analyze, and respond as events unfold.

In 2025, this shift is becoming urgent. Organizations that cannot operate at “attack speed” risk becoming the next breach headline.

Why Batch Isn’t Enough

Batch pipelines are designed for scale, not speed. They collect logs, aggregate data, and generate dashboards — often on hourly or daily cycles. This works well for:

• Compliance reporting

• Long-term trend analysis

• Forensic investigations

But when dealing with active threats, batch delays are fatal. A credential stuffing attack can compromise accounts in minutes. A misconfigured S3 bucket can be scanned and exfiltrated almost instantly. Without real-time detection, organizations are blind when they need vision most.

What Is Continuous Intelligence?

Continuous intelligence is the real-time ingestion, processing, and analysis of data streams, enabling immediate decision-making. It integrates four layers:

1. Ingestion — Log and event collection via tools like Kafka, Flink, or AWS Kinesis.

2. Processing — Real-time transformation, feature computation, and enrichment (e.g. failed logins in last 60s).

3. Analytics & Models — Scoring anomalies, running ML models continuously.

4. Action — Triggering automated responses (quarantining devices, locking accounts, alerting analysts).

The value is not just in speed, but in adaptive learning — baselines evolve continuously, reducing false positives and surfacing true anomalies.

Why It Matters for Breach Response

In breach analytics, streaming approaches enable:

• Immediate Detection — spotting unusual login behavior, privilege escalation, or outbound traffic as it happens.

• Correlation Across Domains — linking endpoint, network, and identity events in near real time.

• Automated Remediation — taking action (isolate, suspend, re-authenticate) before damage escalates.

• Faster Forensics — when a breach occurs, continuous logs already structured for analysis enable quicker investigation.

Sector-Specific Use Cases

• Financial Services — Detecting high-velocity fraud attempts or anomalous wire transfers. Regulators expect millisecond-level monitoring.

• Healthcare — Spotting unauthorized access to PHI in real time, preventing large-scale HIPAA violations.

• Government & Critical Infrastructure — Protecting utilities and transport systems, where seconds matter for safety.

• E-Commerce — Identifying bot-driven credential stuffing or card-not-present fraud in real time.

Technology Landscape

The building blocks are evolving fast:

• Open-Source Streaming Engines: Apache Kafka, Apache Flink, Apache Pulsar.

• Cloud-Native Options: AWS Kinesis, Google Pub/Sub, Azure Event Hubs.

• ML in Motion: TensorFlow Serving, MLflow streaming integrations, and increasingly, LLM-powered anomaly detection.

• Visualization & Response: Grafana for dashboards, SOAR (Security Orchestration, Automation, and Response) platforms for automated action.

Challenges & Trade-Offs

Adopting continuous intelligence is not trivial. Organizations must balance:

• Scalability vs Cost — Streaming pipelines can be resource-intensive.

• Noise vs Signal — Poorly tuned models can drown analysts in false alerts.

• Integration — Legacy systems may not support real-time event feeds.

• Governance — Automation must comply with audit, privacy, and regulatory standards.

Yet these challenges are solvable — and the benefits outweigh the complexity.

Emerging Trends: The Next Three Years

Looking ahead, streaming analytics will evolve further:

• Predictive SOCs — Security operations centers using predictive modeling to anticipate breaches before signals escalate.

• AI Agents in Security — LLM-powered “copilots” triaging alerts, recommending actions, and even executing playbooks.

• Cross-Enterprise Intelligence Sharing — Federated, privacy-preserving sharing of threat data streams across industries.

• Integration with Business KPIs — Linking breach analytics to revenue impact, operational downtime, or customer churn metrics.

Case Study: Preventing Exfiltration in Real Time

A global logistics company adopted continuous intelligence pipelines in 2024. Within weeks, the system flagged anomalous outbound traffic from a finance server: a sudden 4GB transfer to an unfamiliar IP, outside business hours.

Automated response cut the session within 30 seconds. Investigation revealed compromised credentials and attempted data theft. In a batch world, this event would not have surfaced until the next day — too late.

Conclusion

The arms race between attackers and defenders is accelerating. Attackers move fast. Defenders must move faster.

Continuous intelligence is the strategic shift that enables organizations to close the gap — transforming breach response from reactive to proactive.

Those who embrace it will reduce breach dwell times, protect sensitive data, and maintain customer trust. Those who do not will find themselves explaining, after the fact, why their dashboards lit up only once the damage was done.

In cybersecurity, timing is everything. Continuous intelligence ensures defenders finally operate at the speed of attack.

Cybersecurity has reached a tipping point. For decades, boards of directors saw it as an operational concern — the domain of CIOs and IT security teams. But in 2025, that view has become dangerously outdated.

Data breaches are now shaping stock prices, driving class-action lawsuits, and triggering regulatory interventions at a scale that directly affects enterprise value. Cybersecurity is no longer just a technical issue; it is a strategic risk category, on par with financial mismanagement or supply chain collapse.

This year marks a structural shift: cyber risk has moved firmly into the boardroom. The question is no longer “Is our firewall strong enough?” but rather “Can our governance, strategy, and resilience withstand a breach — and can our stakeholders trust us to manage it?”

The Wake-Up Calls: Recent High-Impact Breaches

The last 12 months have delivered repeated reminders of what’s at stake.

• Allianz Life (July 2025) — A breach exposed the personal data of over 1.1 million U.S. customers. The company was forced into costly remediation and is now facing legal actions and heightened regulatory scrutiny.

• Qantas Airways (June 2025) — A third-party system compromise potentially leaked records of up to 6 million passengers, including dates of birth and frequent flyer information. While no financial details were exposed, the reputational impact was immediate: customer outrage, media scrutiny, and political commentary.

• MOVEit Supply Chain Fallout (2023–2025) — The software vulnerability that began with Progress Software in 2023 continues to echo across industries. Dozens of organizations — from BBC to U.S. government agencies — were compromised through a single vendor weakness. Years later, supply chain cyber dependencies remain one of the most difficult governance blind spots.

• Legal Fallout — According to the Wall Street Journal, more plaintiff firms are targeting corporations after breaches, filing negligence claims on behalf of consumers impacted by lost data. This trend points toward a future where legal liability for directors in the aftermath of a breach becomes routine, not rare.

These cases demonstrate that boards can no longer afford ignorance. Cyber incidents are no longer technical outliers — they are systemic business events.

Why Boards Must Care

The rationale for board-level ownership of cyber risk is straightforward:

1. Financial Exposure
   The global average cost of a breach now exceeds $4.5 million (IBM, 2024). For large enterprises, figures can reach the tens or hundreds of millions, especially when litigation, regulatory fines, and remediation programs are factored in.

2. Reputation & Trust
   Customers don’t forgive easily. A single breach can erode years of brand equity. Airlines, insurers, banks, and healthcare providers all face customer churn after high-profile incidents.

3. Regulatory Pressure
   Regulators are no longer treating cyber failures as “bad luck.”

   • The U.S. SEC’s new cyber disclosure rules (2023) require public companies to disclose material incidents within four business days.

   • In Europe, the Digital Operational Resilience Act (DORA), in force from 2025, requires financial entities to demonstrate board-level accountability for ICT risks.

   • Under GDPR, boards can be held responsible for non-compliance, with fines up to 4% of global turnover.

4. Investor Expectations
   ESG frameworks increasingly incorporate cyber risk as a governance indicator. Investors are asking: “How robust is your data protection posture? What is your exposure to third-party risk?”

5. Business Continuity
   Cyber incidents now routinely cause operational shutdowns. Hospitals have cancelled surgeries, ports have halted shipments, and factories have suspended production due to cyberattacks. For directors, this is no longer hypothetical.

From IT to Governance: How Boards Are Responding

Forward-looking boards are treating cyber like financial risk: measurable, reportable, and integral to governance. The shifts include:

• Dedicated Cyber Risk Committees — Some organizations now mirror audit committees with cyber oversight structures.

• Regular CISO Briefings — Boards expect quarterly updates on cyber posture, incident trends, and readiness drills.

• Integration into ERM — Cyber risk is assessed alongside financial, compliance, and operational risks.

• Tabletop Simulations — Directors participate in live exercises to rehearse breach response decisions.

• Metrics & KPIs — Boards demand digestible dashboards: patching cadence, mean time to detect/respond, third-party risk ratings, and red-team outcomes.

• Linking Compensation — A growing trend ties executive bonuses to cyber resilience benchmarks.

Case Study: Proactive vs. Reactive Boards

• Proactive: A European bank that ran annual breach simulations at board level responded to a ransomware incident in 2024 within hours, isolating affected systems and communicating clearly with regulators. The board’s familiarity with decision pathways minimized fallout and preserved trust.

• Reactive: A retail company that lacked board engagement faced a breach in late 2023. The board received technical briefings full of acronyms but lacked actionable oversight. Regulatory fines and shareholder lawsuits followed, with directors accused of neglecting fiduciary duties.

The difference? Governance maturity.

Frameworks for Board Oversight

Boards do not need to reinvent the wheel. Established frameworks offer a starting point:

• NIST Cybersecurity Framework 2.0 (2024) — Aligns governance with Identify, Protect, Detect, Respond, Recover.

• ISO 27001 — Internationally recognized standard for information security management.

• FFIEC Cybersecurity Assessment Tool — Widely used in financial services for maturity benchmarking.

• CISA Cybersecurity Performance Goals — A U.S. government-issued set of baseline practices.

Boards that adopt these frameworks signal to regulators and investors that cyber risk is being managed with rigor.

Pitfalls & Challenges

1. Over-Simplification — Boards risk asking for “one number” on cyber risk. Reality is nuanced; no single metric captures it all.

2. False Comfort — Insurance coverage is narrowing. Policies often exclude state-sponsored attacks or systemic supply-chain incidents.

3. Culture & Blame — A punitive culture discourages disclosure. Boards must promote psychological safety in incident reporting.

4. Rapidly Evolving Threats — What was state-of-the-art last year may be outdated today. Boards need dynamic, not static, oversight.

Looking Ahead: 2025–2027

We are entering an era where:

• Cyber Liability for Directors will be tested in courts. Fiduciary duty in cybersecurity will mirror duties in financial oversight.

• Investor Activism will demand disclosure of cyber resilience metrics.

• Integrated Resilience will blur lines between cyber, physical, and operational risk governance.

• Cross-Border Regulations will complicate compliance as data flows globally.

Boards that treat cyber as a strategic pillar will be better equipped to manage uncertainty, build resilience, and safeguard trust.

Conclusion

Cyber risk is not an IT side-note — it is a boardroom responsibility. 2025 is the year this truth becomes unavoidable.

Boards must move beyond awareness to active governance: demanding metrics, running exercises, aligning to frameworks, and integrating cyber into enterprise risk management.

For directors, the stakes are clear: protect customer trust, investor confidence, and corporate value — or risk the consequences of being unprepared in a world where every company is a potential target.

They are where people, who shouldn’t have access to your personally identifiable information (or ‘PII’), get access to it. They can happen by accident or intentionally.

Examples of accidental data breaches include:

• Sending information to the wrong email recipient

• Mistakenly posting something private on social media

• Leaving confidential information in a public space, or

• Improperly securing databases

Examples of intentional data breaches include:

• Hacking a computer system or database, often due to weak controls

• Phishing emails, tricking you into revealing passwords to online accounts

• Social engineering, manipulating you over time, and

• Malware infecting your computer with software to steal data

Why do criminals want my PII?

They are trying to commit crimes using your PII data to make money.

Either you are the victim or someone else [using your PII data].

Scams are massively profitable, and the global scamming industry (‘Scam Inc’) may be worth over $1.0 trillion annually. In the US alone, estimates of losses to scammers range from $12.5 billion to $50.0 billion. To put this in context, the illegal narcotics industry is estimated to be $462-652 billion. So, it is probably correct to say that Scams are bigger than Drugs.

How do criminals use PII data to commit crimes?

Your PII is surprisingly valuable, and here are some ways criminals use it.

1. Deepfake Impersonations

Criminals use Artificial Intelligence (‘AI’) to create realistic photos, videos and/or voices to help them commit crimes. They can open accounts at banks or cryptocurrency exchanges, apply for credit cards or take out mortgages in your name.

They are using your ID to steal money or commit more fraud as part of a bigger scam.

Free, open-source computer programs are available online, allowing criminals to create these deepfakes. Generally, the more information (photos, video and audio) the criminals have on you, the better quality the deepfakes are. Cloning your voice can take as little as 2-3 minutes of recording.

One example of how effective deepfakes can be, occured in 2024. The engineering firm Arup was the target of fraud. Criminals deep faked the CFO over a video call and tricked staff into paying them $25 million.

Now, there are reports that criminals are creating deepfakes in real-time.

How can I protect myself?

To paraphrase, it is always better to

“Bolt the stable door before the horse escapes, rather than after it.”

If you search online, much of the advice is for companies trying to protect the PII they hold. But you can (and should) adopt this advice’s main principle,

“The best defence is a layered defence”.

What does this mean in practice?

You should not rely on one thing to protect you.

You should try and do it all to the best of your abilities.

1. Lockdown and protect all your email accounts.

Every email provider should allow you to secure your account. You can use 2FA or two-factor authentication (see below). If they don’t offer this, you should change your email provider.

If you have an email provided by Apple, Google or Microsoft, the good news is you already have an email that allows you to set up 2FA (even if it’s one of their free email accounts).

• Apple - link

• Google - link

• Microsoft - link

Some email providers offer you more secure or protected email accounts. Google has its Advanced Protection Program (‘APP’). Google provides APP to people such as investigative journalists who were the targets of hackers. The good news is that APP is available to everyone even with their free email service. The more secure email accounts protect your accounts more robustly, at the expense of some usability. This means they block more websites and flag more emails as suspicious.

But isn’t that the point?

They are trying their hardest, to do the best to protect you, that they can.

2. Use Passkeys instead of Passwords

If you have the option, use Passkeys instead of Passwords.

Passkeys are the technology industry’s attempt to replace passwords with something more secure. The reason is that passwords are notorious for being poorly managed, often reused, and weak (or easy for a computer to guess).

Apple, Google and Microsoft all support passkeys

• Apple - Link

• Google – Link

• Microsoft - Link

3. Use 2FA (two-factor authentication) on everything

If someone knows a password for one of your accounts, they are unlikely to know the 2FA code. It is much harder for them to gain access and do something with the account.

You should protect all your accounts where you input personal or payment data. These include (but are not limited to)

• Email (see above),

• Bank accounts,

• Cryptocurrency wallets,

• Utilities (gas, power, water)

• Telecoms (cell phones, landlines and internet),

• Online retail accounts.

You can use

• Passkeys – see above

• Biometric ID – devices can use your fingerprint or face as the 2FA.

• Authenticator apps – Apple, Google, and Microsoft all have authenticator apps. They output a six- or eight-digit code, which changes every 30 seconds and acts as the 2FA.

• Hardware keys – such as a YubiKey or Google Titan Key.

4. Avoid using SMS as your 2FA method

SIM Swapping is a technique where hackers clone the SIM card on your phone. When you get sent an SMS message with your 2FA code, the hacker also gets it. It also means the hacker can access your WhatsApp, Telegram and Signal accounts.

It is a relatively easy technique for sophisticated hackers to implement.

In early 2025, hackers used this technique to attack Marks and Spencer, a retailer in the UK. It resulted in the company closing its online shop for a significant period and the theft of client PII data.

5. Enable stolen device protection

Stolen device protection makes it harder for people to access your devices, wipe them, and change passwords, especially if the person knows your password.

Apple, Google, and Microsoft all have technologies that help you protect your devices.

• Apple – Link

• Google – Link

• Microsoft – Link

6. Hide your Email (aka email obfuscation)

Some technology firms allow you to create a unique random email address that gets forwarded to your real email.

This can be useful as it gives you a unique email for each account you sign up for.

• Apple – Hide My Email is part of their iCloud+ subscription – Link

• Google – Shielded Email is (at the time of writing) under development, but will be like Apple’s Hide My Email functionality - Link

7. Install Anti-Malware and use a VPN

Anti-malware (or what used to be called Anti-Virus) software helps prevent you from opening any malicious files you’ve been emailed or clicking on dangerous websites. There are many providers; a simple online search will help identify them.

If you use your device on an insecure wi-fi network, that network can listen to all your communication, such as your emails. A Virtual Private Network (“VPN”) makes your communication more secure.

If you’ve noticed, points 1-7 above are all related to your computer / IT system.

There is a lot you can do personally to prepare yourself for scams.

8. Advice and Training

If you are lucky (although it might not feel like it at the time), your employer might offer you training and courses on spot phishing, scams and/or fraud attempts.

There is lots of advice available for free on the internet, such as that published by

• The US’s Federal Trade Commission on Consumer Advice, or

• Technology companies like Microsoft.

Many videos are on YouTube, or you can attend a paid course online.

9. Be Sceptical

If someone calls you saying you owe money or you’ve done something bad, STOP.

Take the person’s name and where they are calling from, but do not give them any further information. Tell them you will call them back. If they say they are from an organisation such as the IRS, look up a contact number on an official communication (like your tax return) or their website and try to call through official channels.

If they are legitimate, they will be happy that you check.

NEVER give anyone (especially people you don’t know) your passwords or 2FA codes (see below).

10. Set up Alerts at Credit Reference Agencies

You can set up an alert with any one of the three Credit reference Agencies

• Equifax - Link

• Experian - Link

• TransUnion - Link

The alerts tell you when someone (including you) tries to open an account with a financial services firm or obtain a line of credit in your name. You do not need to place alerts with all of them. You do not have to be a victim of fraud or identity theft; you can do it purely as a precautionary measure.

Oh, and they are free. Just don’t forget to renew them after they run out.

What about just setting up a recurring calendar meeting on your phone?

11. Reduce the amount of information held by Data Brokers

Data brokers specialise in collecting and selling your information to third parties. They collect data from public records and buy data from others.

If you ever receive random emails from services you never signed up for, it may be because they purchased your contact information from data brokers.

Data brokers do get hacked. In April 2024, hackers broke into the data broker National Public Record and exposed the PII of at least 300 million people in billions of records. Some of the data included names, dates of birth, SSNs’ and phone numbers. One disheartening point is that while the hack occurred in April 2024, the company acknowledged the data breach in August 2024, some four months later.

You can contact data brokers to get your information removed (it is within your rights), or you can subscribe to companies that do it for you35. Companies that provide this service include

• Incogni - Link

• Privacy Bee - Link

Can I get my money back if I’m a victim?

The short answer is it depends. You might be able to get your money back.

But

• it can be hard to do so,

• the amount may be capped,

• it will depend on what type of fraud occurred,

• how it [the fraud] was paid, and

• the regulations of the country you are in.

If you’ve noticed, banks are building additional steps into their payment flows, which ask you to confirm that you’ve double-checked the payment. The banks are asking you to verify that the payment is genuine and not fraudulent.

Why are they doing this?

It’s because of a scam called Authorised Push Payment (‘APP’) fraud. APP fraud is where scammers manipulate you into authorising the payment to the scammer through your bank’s phone app or website. When you click the ‘make the payment’ button, you ‘authorise’ the payment to be ‘pushed’ to the recipient. The banks are protecting themselves against claims they didn’t protect victims against APP fraud. They are putting the risk of APP fraud back on you, the victim.

In the UK, banks must reimburse victims up to £415,000 per claim, subject to terms and conditions.

The USA has weaker consumer protection legislation. Many banks and financial technology firms classify APP fraud as authorised even if someone tricked you into making the payment, and the Electronic Fund Transfer Act (Reg E) only applies if the payment is unauthorised.

Remember all those additional steps in payment flows that we discussed above?

If you are a victim, you should

• Report the fraud to your bank and the police

• And speak to a citizen’s advice bureaux to get their advice.

How do I protect the data held by my company?

As you start to collect PII, you should protect it. Please remember that if you hold PII data of UK, European and Californian citizens, there are legal requirements for you to do so, and you could face stiff penalties or fines if you don’t.

In 2025, Meta was fined Euro 1.2 billion for data transfer from Europe to the USA without adequate data protection mechanisms.

1. Hire a competent Chief Information Security Officer (“CISO”)

Hiring a competent CISO is essential. Cyber security is now a strategic business risk. You must protect client PII data. Regulators have extraordinary powers to fine businesses for failures in data protection, and they can fine companies that operate in different jurisdictions.

Your CISO understands the different risk management frameworks (like NIST and ISO 27001), helps ensure your company meets its regulatory requirements, trains your staff in security, and ultimately helps prevent costly mistakes.

If you have a small business, you can hire a CISO on a part-time or fractional basis.

2. Go through the ISO27001 and/or SOC2 audit processes

ISO 27001 is an information management system, and SOC2 is a set of security standards. They are related, with about a 70% crossover in what they measure. A simple way to think of the difference is ISO 27001 focuses more on policies and procedures, and SOC2, the nuts and bolts of everything properly connected to security monitoring software.

If you are a US-focused business, SOC2 is probably the first one you ought to tackle. Europeans tend to be more focused on ISO 27001.

3. Layer your defences and lock down your data

Your CISO will help you implement a robust system of layered defences to help you lock down and protect your data.

4. Ruthlessly enforce data deletion policies

As a business owner, you must ask, do you need data from 10 years ago or more? Is it still relevant to your business today? If so, do you need to keep all the data? Purging PII data when it is not required or relevant (obviously subject to any mandatory data retention laws) is sensible.

5. Consider switching from Google to Microsoft’s enterprise solutions

Switching may be controversial!

Google has made setting up its business solutions easy through Google Workspace. However, Microsoft is considered to have a more robust and integrated solution that offers end-to-end security across identity, endpoint, cloud, and applications. You can achieve the same security levels with Google but must pay for (and integrate) additional software solutions.

This being said. Microsoft’s solution needs configuring and managing. To get the best out of it, you probably need a CISO. Google is an excellent solution if you are starting on your own and are not an IT or cybersecurity expert.

How can I prevent stolen data from being used to defraud my company

Unfortunately, you will never be able to eliminate fraudulent data used against you. Here are some measures you can put in place to reduce the risk

1. Identity Verification and Authentication

If your clients trust you with their PII, you should enforce Two-Factor Authentication everywhere they log in. Ideally, you should implement phishing-resistant methods such as authenticator code or passkeys, not SMS or email. You can add behavioural-based risk detection, such as flagging logs from unusual locations.

2. Threat Intelligence - Monitor for the Misuse of Stolen Information

You should subscribe to threat intelligence, dark web monitoring and data breach analytics tools to determine when stolen PII is being used or shared.

Wouldn’t it be good to know if the data was stolen and the same PII data (legitimately or not) was used to open an account or buy a service from you?

3. Zero Trust

There is a concept in cybersecurity of “Zero Trust”. To put it another way, “Never trust, always verify”.

This means you should think about implementing techniques such as i) requiring dual approvals required for payments or signing contracts, ii) vetting suppliers and customers, and iii) validating all data (e.g. IDs, SSNs, addresses and credentials) through third-party services.

4. Staff Awareness - Educate and Train your Employees

You should train your staff to recognise social engineering and phishing and how to handle PII data securely.

5. Reporting

You should have a reporting mechanism so customers and staff can quickly report suspicious activity.

6. Incident Response and Faud Recovery Plan

You need to know your legal obligations to protect PII and have a plan in case things go wrong. This means figuring out how to

• lock affected accounts,

• alert impacted parties,

• work with law enforcement,

• insurers and third-party security firms and

• improve defences.

What is being done to fight fraud?

The short answer is not enough.

The slightly longer answer is that many intelligent and compassionate people work extremely hard to reduce fraud.

But it is still not enough. How can it be if scammers steal $500 billion per year?

The problem is that scamming is endemic and global in its reach. Modern technology allows scammers to set up anywhere and target you. Combatting fraud is very hard. Investigations are laborious and require meticulous planning and often international coordination.