Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Data is their business, and business is good

The black market in personal data is the focus of this year’s Internet Organised Crime Threat Assessment (IOCTA). The annual report from Europol’s European Cybercrime Centre draws upon thousands of investigations that Europol supported over the past year. “Stolen data fuels the digital underworld, powering a criminal ecosystem that spans from online fraud and ransomware to child exploitation and extortion,” the agency said. Cybercriminals use a constantly evolving toolkit, ranging from phishing and phone scams, to malware and AI-generated deepfakes, to compromise systems and steal personal information, which is then sold, resold, and repackaged by data and access brokers operating across dark web forums, encrypted channels, and subscription-based criminal marketplaces.

Help Net Security’s coverage began with the arresting intro “Cybercriminals are stealing data and running full-scale businesses around it”. It highlighted how these criminals “go after everything from login credentials to credit card numbers, medical records, and social media accounts”. This data helps them access accounts, impersonate users, or sell that access to others. Access to an account is often just the beginning, it added. “Once inside, attackers can move laterally through a network, steal more data, and carry out scams using the victim’s identity.”

The value of data to criminals also came to light in recent analysis by Forescout Research and Vedere Labs. It found nearly 2.45 billion exposed identities in 2024.

Some of these are likely to be duplicates, so many people will be affected by more than one breach, but it’s still a staggering amount. The data spans all sectors but the healthcare sector in particular is hit hard. Forescout’s VP of security intelligence Rik Ferguson said the figure was probably a conservative estimate. “Identities are currency, and a conservative valuation of this amount of data is easily $10bn USD. Identities also lie at the foundation of many of the breaches we see today,” he wrote.

All-Ireland cybersecurity sector has scope for growth

Ireland’s cybersecurity sector is worth €3.2 billion and is now one of the largest in Western Europe, according to a new report. Cyber Ireland’s 2025 All-Island Cyber Security Sector Report shows the industry is made up of 632 firms across the entire island of Ireland, employing 10,600 professionals. The sector grew its revenue by 13.4 per cent over the past two years.

The sector features a diverse mix of companies, with large firms making up 29 per cent, primarily due to significant foreign direct investment from the U.S. in particular. The Republic of Ireland’s proportion of micro firms (40 per cent compared to 20 per cent in Northern Ireland), suggests opportunities to bolster the start-up ecosystem. At the launch, NI Cyber cluster manager Joanne English noted that 42 cybersecurity companies already have active offices in both NI and Ireland. This shows “a clear appetite for cross-border collaboration, and we must now work to realise the opportunities of a more integrated all-island cybersecurity market”.

The report found that some cross-border collaboration is happening but fragmentation still lingers. Barriers for the all-island industry include policy gaps, procurement challenges and security clearance issues. To that end, Cyber Ireland and its Northern Irish equivalent NI Cyber signed a memorandum of understanding, to encourage increased cross-border collaboration, engage in joint R&D endeavours and raise the profile of the all-island sector internationally. “Cybersecurity is not just a technological issue, it’s a strategic economic opportunity,” said Cyber Ireland’s cluster manager Eoin Byrne. The full 76-page report is available to download.

Data protection and privacy roundup: DPC fines DSP and DNS driven from the EU

The Data Protection Commission has fined the Department of Social Protection €550,000 after concluding that its SAFE 2’ registration process for scanning and storing biometric facial templates for holders of the Public Services Card violated GDPR rules. The DPC found the department lacked a clear legal foundation for collecting and retaining the data, failed in its transparency obligations, and its Data Protection Impact Assessment was not sufficiently thorough. The fine is five times greater than the next largest penalty for a public body; the DPC also issued an order to stop DSP from processing biometric data.

In announcing the fine, the DPC noted the “highly sensitive personal data” that the DSP was storing and processing on a large scale. In 2021, the DSP held biometric facial templates for 70 per cent of the population of the State. “Under the GDPR, biometric data is categorised as special category data to which higher protections and safeguards must be applied,” the regulator said.

Anyone seeking a privacy-focused domain name service provider based in the EU, the cybersecurity agency ENISA has a new project. DNS4EU provides a protective, privacy-compliant and resilient infrastructure for resolving DNS lookups. It’s intended as a public alternative to the system of routing queries through U.S. tech giants like Google and Cloudflare.

For privacy professionals who are coming under increasing pressure to evaluate AI tools and assess whether they’re suitable for their organisations to use, Phil Lee has a helpful guide to triage them for possible compliance risks.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here