Stefano Gazzella : 12 November 2025 07:09
Unfortunately, personal data is a highly attractive and valuable market for cybercriminals, for reasons that are not at all difficult to imagine . We’re not just talking about scams or identity theft, but a whole range of illicit activities that can be exploited in a wide variety of ways. This applies to both data exposed online and data found on dark web marketplaces, with the common goal of making direct or indirect profits.
Having learned that the undesirable use of our personal data exists and is indeed a significant market for cybercriminals, we might now conclude that all privacy regulations are completely useless. In short, if a cybercriminal intends to commit a series of illicit activities, certainly obtaining our personal data by violating the rules isn’t even worthy of being labeled the “least of their problems.” But we need to consider why our personal data is becoming so easily accessible, thus discovering through a few logical steps that greater attention from those who perform operations on it would reduce its availability.
While it’s impossible to have a scenario in which the risk of our personal data being used in illicit activities is eliminated, it might be desirable to at least have one in which looting it is particularly difficult and the loot less lucrative. In short, it’s clear that when the costs outweigh the opportunities, a cybercriminal usually gives up. Unless they’re particularly motivated, of course.
This, however, requires a preliminary remark. Every entity that collects and uses personal data is required to ensure data protection throughout the entire supply chain, thus focusing on the specific aspects identified by the law. This means verifying that the data is lawfully acquired, its purposes are defined, and only the data necessary to achieve those purposes is collected and retained.
Obviously, taking into account that every operation must be carried out safely.
The aspect that emerges is undoubtedly that of security, both logically and relevantly. This is not only mandated by the law, but is also a prerequisite: the secure processing of personal data ensures mitigation of the risks posed to the data subject. Without security, there can be no adequate protection.
A higher level of general security combats cybercrime, but this requires a shared effort from multiple actors, namely all those who perform data operations. Guidance is provided by legislation, which requires considering what data to collect, why , and, above all, for how long . Justifying each step requires greater attention, and greater attention allows us to overcome a whole series of critical issues related to unawareness, carelessness, and inattention.
Therefore, respect for privacy—understood as the protection of personal data—is the prerequisite for data to be processed securely. Or rather, more securely than the alternative scenario in which the safeguards required by law are not in place.
A cultural approach that takes into account the risks to data subjects requires that those who decide on the fate of personal data be held accountable, but also requires greater widespread attention to the issue. This means that personal data protection guarantees are selection criteria. Of course, we’re talking about perceived guarantees, and therefore a privacy-washing strategy may be possible, but a user or consumer expresses a demand for services that are more compliant with regulations and therefore more secure.
This, in effect, increases the cost of cybercrime in this area.
Less readily available data actually leads to higher costs.
It’s the market, baby.
Stefano Gazzella