What you need to know about data breaches
matthew Denyer
What are data breaches?
They are where people, who shouldn’t have access to your personally identifiable information (or ‘PII’), get access to it. They can happen by accident or intentionally.
Examples of accidental data breaches include:
Sending information to the wrong email recipient
Mistakenly posting something private on social media
Leaving confidential information in a public space, or
Improperly securing databases
Examples of intentional data breaches include:
Hacking a computer system or database, often due to weak controls
Phishing emails, tricking you into revealing passwords to online accounts
Social engineering, manipulating you over time, and
Malware infecting your computer with software to steal data
Why do criminals want my PII?
They are trying to commit crimes using your PII data to make money.
Either you are the victim or someone else [using your PII data].
Scams are massively profitable, and the global scamming industry (‘Scam Inc’) may be worth over $1.0 trillion annually. In the US alone, estimates of losses to scammers range from $12.5 billion to $50.0 billion. To put this in context, the illegal narcotics industry is estimated to be $462-652 billion. So, it is probably correct to say that Scams are bigger than Drugs.
How do criminals use PII data to commit crimes?
Your PII is surprisingly valuable, and here are some ways criminals use it.
1. Deepfake Impersonations
Criminals use Artificial Intelligence (‘AI’) to create realistic photos, videos and/or voices to help them commit crimes. They can open accounts at banks or cryptocurrency exchanges, apply for credit cards or take out mortgages in your name.
They are using your ID to steal money or commit more fraud as part of a bigger scam.
Free, open-source computer programs are available online, allowing criminals to create these deepfakes. Generally, the more information (photos, video and audio) the criminals have on you, the better quality the deepfakes are. Cloning your voice can take as little as 2-3 minutes of recording.
One example of how effective deepfakes can be, occured in 2024. The engineering firm Arup was the target of fraud. Criminals deep faked the CFO over a video call and tricked staff into paying them $25 million.
Now, there are reports that criminals are creating deepfakes in real-time.
How can I protect myself?
To paraphrase, it is always better to
“Bolt the stable door before the horse escapes, rather than after it.”
If you search online, much of the advice is for companies trying to protect the PII they hold. But you can (and should) adopt this advice’s main principle,
“The best defence is a layered defence”.
What does this mean in practice?
You should not rely on one thing to protect you.
You should try and do it all to the best of your abilities.
1. Lockdown and protect all your email accounts.
Every email provider should allow you to secure your account. You can use 2FA or two-factor authentication (see below). If they don’t offer this, you should change your email provider.
If you have an email provided by Apple, Google or Microsoft, the good news is you already have an email that allows you to set up 2FA (even if it’s one of their free email accounts).
Some email providers offer you more secure or protected email accounts. Google has its Advanced Protection Program (‘APP’). Google provides APP to people such as investigative journalists who were the targets of hackers. The good news is that APP is available to everyone even with their free email service. The more secure email accounts protect your accounts more robustly, at the expense of some usability. This means they block more websites and flag more emails as suspicious.
But isn’t that the point?
They are trying their hardest, to do the best to protect you, that they can.
2. Use Passkeys instead of Passwords
If you have the option, use Passkeys instead of Passwords.
Passkeys are the technology industry’s attempt to replace passwords with something more secure. The reason is that passwords are notorious for being poorly managed, often reused, and weak (or easy for a computer to guess).
Apple, Google and Microsoft all support passkeys
3. Use 2FA (two-factor authentication) on everything
If someone knows a password for one of your accounts, they are unlikely to know the 2FA code. It is much harder for them to gain access and do something with the account.
You should protect all your accounts where you input personal or payment data. These include (but are not limited to)
Email (see above),
Bank accounts,
Cryptocurrency wallets,
Utilities (gas, power, water)
Telecoms (cell phones, landlines and internet),
Online retail accounts.
You can use
Passkeys – see above
Biometric ID – devices can use your fingerprint or face as the 2FA.
Authenticator apps – Apple, Google, and Microsoft all have authenticator apps. They output a six- or eight-digit code, which changes every 30 seconds and acts as the 2FA.
4. Avoid using SMS as your 2FA method
SIM Swapping is a technique where hackers clone the SIM card on your phone. When you get sent an SMS message with your 2FA code, the hacker also gets it. It also means the hacker can access your WhatsApp, Telegram and Signal accounts.
It is a relatively easy technique for sophisticated hackers to implement.
In early 2025, hackers used this technique to attack Marks and Spencer, a retailer in the UK. It resulted in the company closing its online shop for a significant period and the theft of client PII data.
5. Enable stolen device protection
Stolen device protection makes it harder for people to access your devices, wipe them, and change passwords, especially if the person knows your password.
Apple, Google, and Microsoft all have technologies that help you protect your devices.
6. Hide your Email (aka email obfuscation)
Some technology firms allow you to create a unique random email address that gets forwarded to your real email.
This can be useful as it gives you a unique email for each account you sign up for.
Apple – Hide My Email is part of their iCloud+ subscription – Link
Google – Shielded Email is (at the time of writing) under development, but will be like Apple’s Hide My Email functionality - Link
7. Install Anti-Malware and use a VPN
Anti-malware (or what used to be called Anti-Virus) software helps prevent you from opening any malicious files you’ve been emailed or clicking on dangerous websites. There are many providers; a simple online search will help identify them.
If you use your device on an insecure wi-fi network, that network can listen to all your communication, such as your emails. A Virtual Private Network (“VPN”) makes your communication more secure.
If you’ve noticed, points 1-7 above are all related to your computer / IT system.
There is a lot you can do personally to prepare yourself for scams.
8. Advice and Training
If you are lucky (although it might not feel like it at the time), your employer might offer you training and courses on spot phishing, scams and/or fraud attempts.
There is lots of advice available for free on the internet, such as that published by
The US’s Federal Trade Commission on Consumer Advice, or
Technology companies like Microsoft.
Many videos are on YouTube, or you can attend a paid course online.
9. Be Sceptical
If someone calls you saying you owe money or you’ve done something bad, STOP.
Take the person’s name and where they are calling from, but do not give them any further information. Tell them you will call them back. If they say they are from an organisation such as the IRS, look up a contact number on an official communication (like your tax return) or their website and try to call through official channels.
If they are legitimate, they will be happy that you check.
NEVER give anyone (especially people you don’t know) your passwords or 2FA codes (see below).
10. Set up Alerts at Credit Reference Agencies
You can set up an alert with any one of the three Credit reference Agencies
The alerts tell you when someone (including you) tries to open an account with a financial services firm or obtain a line of credit in your name. You do not need to place alerts with all of them. You do not have to be a victim of fraud or identity theft; you can do it purely as a precautionary measure.
Oh, and they are free. Just don’t forget to renew them after they run out.
What about just setting up a recurring calendar meeting on your phone?
11. Reduce the amount of information held by Data Brokers
Data brokers specialise in collecting and selling your information to third parties. They collect data from public records and buy data from others.
If you ever receive random emails from services you never signed up for, it may be because they purchased your contact information from data brokers.
Data brokers do get hacked. In April 2024, hackers broke into the data broker National Public Record and exposed the PII of at least 300 million people in billions of records. Some of the data included names, dates of birth, SSNs’ and phone numbers. One disheartening point is that while the hack occurred in April 2024, the company acknowledged the data breach in August 2024, some four months later.
You can contact data brokers to get your information removed (it is within your rights), or you can subscribe to companies that do it for you35. Companies that provide this service include
Can I get my money back if I’m a victim?
The short answer is it depends. You might be able to get your money back.
But
it can be hard to do so,
the amount may be capped,
it will depend on what type of fraud occurred,
how it [the fraud] was paid, and
the regulations of the country you are in.
If you’ve noticed, banks are building additional steps into their payment flows, which ask you to confirm that you’ve double-checked the payment. The banks are asking you to verify that the payment is genuine and not fraudulent.
Why are they doing this?
It’s because of a scam called Authorised Push Payment (‘APP’) fraud. APP fraud is where scammers manipulate you into authorising the payment to the scammer through your bank’s phone app or website. When you click the ‘make the payment’ button, you ‘authorise’ the payment to be ‘pushed’ to the recipient. The banks are protecting themselves against claims they didn’t protect victims against APP fraud. They are putting the risk of APP fraud back on you, the victim.
In the UK, banks must reimburse victims up to £415,000 per claim, subject to terms and conditions.
The USA has weaker consumer protection legislation. Many banks and financial technology firms classify APP fraud as authorised even if someone tricked you into making the payment, and the Electronic Fund Transfer Act (Reg E) only applies if the payment is unauthorised.
Remember all those additional steps in payment flows that we discussed above?
If you are a victim, you should
Report the fraud to your bank and the police
And speak to a citizen’s advice bureaux to get their advice.
How do I protect the data held by my company?
As you start to collect PII, you should protect it. Please remember that if you hold PII data of UK, European and Californian citizens, there are legal requirements for you to do so, and you could face stiff penalties or fines if you don’t.
In 2025, Meta was fined Euro 1.2 billion for data transfer from Europe to the USA without adequate data protection mechanisms.
1. Hire a competent Chief Information Security Officer (“CISO”)
Hiring a competent CISO is essential. Cyber security is now a strategic business risk. You must protect client PII data. Regulators have extraordinary powers to fine businesses for failures in data protection, and they can fine companies that operate in different jurisdictions.
Your CISO understands the different risk management frameworks (like NIST and ISO 27001), helps ensure your company meets its regulatory requirements, trains your staff in security, and ultimately helps prevent costly mistakes.
If you have a small business, you can hire a CISO on a part-time or fractional basis.
2. Go through the ISO27001 and/or SOC2 audit processes
ISO 27001 is an information management system, and SOC2 is a set of security standards. They are related, with about a 70% crossover in what they measure. A simple way to think of the difference is ISO 27001 focuses more on policies and procedures, and SOC2, the nuts and bolts of everything properly connected to security monitoring software.
If you are a US-focused business, SOC2 is probably the first one you ought to tackle. Europeans tend to be more focused on ISO 27001.
3. Layer your defences and lock down your data
Your CISO will help you implement a robust system of layered defences to help you lock down and protect your data.
4. Ruthlessly enforce data deletion policies
As a business owner, you must ask, do you need data from 10 years ago or more? Is it still relevant to your business today? If so, do you need to keep all the data? Purging PII data when it is not required or relevant (obviously subject to any mandatory data retention laws) is sensible.
5. Consider switching from Google to Microsoft’s enterprise solutions
Switching may be controversial!
Google has made setting up its business solutions easy through Google Workspace. However, Microsoft is considered to have a more robust and integrated solution that offers end-to-end security across identity, endpoint, cloud, and applications. You can achieve the same security levels with Google but must pay for (and integrate) additional software solutions.
This being said. Microsoft’s solution needs configuring and managing. To get the best out of it, you probably need a CISO. Google is an excellent solution if you are starting on your own and are not an IT or cybersecurity expert.
How can I prevent stolen data from being used to defraud my company
Unfortunately, you will never be able to eliminate fraudulent data used against you. Here are some measures you can put in place to reduce the risk
1. Identity Verification and Authentication
If your clients trust you with their PII, you should enforce Two-Factor Authentication everywhere they log in. Ideally, you should implement phishing-resistant methods such as authenticator code or passkeys, not SMS or email. You can add behavioural-based risk detection, such as flagging logs from unusual locations.
2. Threat Intelligence - Monitor for the Misuse of Stolen Information
You should subscribe to threat intelligence, dark web monitoring and data breach analytics tools to determine when stolen PII is being used or shared.
Wouldn’t it be good to know if the data was stolen and the same PII data (legitimately or not) was used to open an account or buy a service from you?
3. Zero Trust
There is a concept in cybersecurity of “Zero Trust”. To put it another way, “Never trust, always verify”.
This means you should think about implementing techniques such as i) requiring dual approvals required for payments or signing contracts, ii) vetting suppliers and customers, and iii) validating all data (e.g. IDs, SSNs, addresses and credentials) through third-party services.
4. Staff Awareness - Educate and Train your Employees
You should train your staff to recognise social engineering and phishing and how to handle PII data securely.
5. Reporting
You should have a reporting mechanism so customers and staff can quickly report suspicious activity.
6. Incident Response and Faud Recovery Plan
You need to know your legal obligations to protect PII and have a plan in case things go wrong. This means figuring out how to
lock affected accounts,
alert impacted parties,
work with law enforcement,
insurers and third-party security firms and
improve defences.
What is being done to fight fraud?
The short answer is not enough.
The slightly longer answer is that many intelligent and compassionate people work extremely hard to reduce fraud.
But it is still not enough. How can it be if scammers steal $500 billion per year?
The problem is that scamming is endemic and global in its reach. Modern technology allows scammers to set up anywhere and target you. Combatting fraud is very hard. Investigations are laborious and require meticulous planning and often international coordination.
Subscribe to my newsletter
Read articles from matthew Denyer directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by