Threat Class · Active Research · 2013–2026 Human-Centered Security

Identity & Privacy as Attack Infrastructure

How personal data exposure, credential architecture failures, data broker ecosystems, and account recovery weaknesses combine to form a persistent, human-centered attack surface that operates independently of traditional IT security controls — examined across US, EU, and international regulatory dimensions.

IdentityCredential SecurityData BrokersAiTM PhishingSIM SwapOSINT ExploitationAccount TakeoverExecutive ExposureHuman Attack SurfacePrivacy RiskSocial EngineeringPADFAAGDPRNIS2EU AI ActENISA ETL 2025EDPB

Research Window

2013–2026 (ongoing)

Last Revised

May 2026

Status

Open · Active

Threat Type

Structural / Systemic

Confidence

High (methodology) · High (current risk)

Section

Privacy & Identity Security

Executive Summary

Over the past decade, the identity and privacy of individuals — their email accounts, phone numbers, home addresses, family relationships, credit profiles, and digital behavioral history — has evolved from a personal concern into a critical layer of attack infrastructure. Threat actors no longer need to breach a corporate firewall to compromise an organization. They begin outside it, with legal purchases from data brokers, password dumps from credential marketplaces, and OSINT harvested from social media, public records, and people-search sites. From that foundation, they build attack chains that bypass multi-factor authentication, impersonate executives, commit wire fraud, steal identities, and reach inside organizations through the humans who work there.

Unlike the other entries in this archive, this is not a single vulnerability, CVE, or disclosed incident. It is a structural condition of the modern digital environment: the combination of a massively over-exposed data broker ecosystem, an identity system built on authentication factors that can be intercepted or rerouted, and a population of individuals, families, small businesses, and executives who have no dedicated privacy or identity security support.

The FBI's 2025 Internet Crime Report documented over one million cybercrime complaints with losses exceeding $20.9 billion — a 26% year-over-year increase — with phishing as the most commonly reported crime type and SIM swapping appearing in the top five threat categories for the first time. Identity-based threats, per Red Canary's 2026 Threat Detection Report, increased 850% from 2024 to 2025, accounting for 53% of all confirmed threat detections. What changed was not a new vulnerability. What changed was the maturation of a commercial-grade attack infrastructure built on the persistent, legal availability of personal data.

Operationally, this threat class is significant because it completely bypasses the perimeter. A threat actor who has profiled a target executive using data brokers, obtained their phone number's carrier record via SIM swap, and bypassed SMS MFA has not touched the organization's firewall, EDR, SIEM, or SOAR. The compromise path was entirely human and infrastructural. The fix is not a patch; it is an architectural shift in how identity is designed, how personal data exposure is managed, and how people are trained to behave.

850%

Increase in identity threat detections, 2024→2025

Red Canary Threat Detection Report 2026

$20.9B

Cybercrime losses reported to FBI IC3 in 2025 — record high

FBI IC3 Annual Report 2025

53%

Of all confirmed threat detections were identity-based in 2025

Red Canary Threat Detection Report 2026

€1.2B

GDPR fines levied across Europe in 2025 — 443 breach notifications/day, up 22% YoY

DLA Piper GDPR Fines Survey, Jan 2026

4,875

EU cyber incidents analysed by ENISA ETL 2025 — phishing accounts for 60% of initial intrusions

ENISA Threat Landscape 2025

Data brokers received PADFAA warning letters from FTC, February 2026

FTC / Wiley Law, February 2026

Why This Belongs in the Archive

This threat profile belongs in the Deretti Cyber Labs archive because it redefined what the attack surface means in practice, and because the security industry has systematically underinvested in it relative to its actual risk.

It exposed systemic dependence on identity infrastructure that was never designed for adversarial conditions. Email addresses were designed for communication. Phone numbers were designed for telephony. Neither was designed to be the primary authentication factor for financial accounts, cloud infrastructure, or healthcare records — yet both now serve that role for hundreds of millions of people.
It demonstrated a vector that completely bypasses traditional IT and OT cybersecurity controls. An AiTM phishing attack that intercepts a session cookie, or a SIM swap that reroutes SMS MFA, does not require the attacker to touch the target organization's network, endpoints, or applications. Firewalls, EDR, network segmentation, and SIEM provide essentially zero protection against these techniques.
It required a rethinking of what constitutes a threat model. Most enterprise security programs model threats at the network or application layer. This threat class begins at the data layer — personal data available legally and commercially — and executes at the human layer, before any IT control is relevant.
It produced a continuing escalation rather than a closed event. The data broker ecosystem has grown, not contracted. AiTM phishing kits have become commoditized. SIM-swapping volume has increased. AI-powered impersonation tools have made social engineering dramatically more effective.
It connects the personal and the professional in ways that organizational security programs have not adapted to. The executive who uses their personal email as an MFA recovery path, the employee whose home address is publicly listed on a people-search site, the family member who answers a deepfake voice call — these are not edge cases. They are the normal condition of every person who works in a modern organization.

Key Facts

Item	Detail
Name	Identity & Privacy as Attack Infrastructure
Aliases	Account takeover (ATO), credential stuffing, identity theft, AiTM phishing, SIM swapping, social engineering, executive impersonation, BEC, OSINT-enabled targeting, data broker exploitation
First Significant Escalation	∼2013 (credential theft industrialization); AiTM commercial infrastructure ∼2020–2021; AI-enhanced social engineering ∼2023–2024
Type	Human-centered / Credential infrastructure / Identity system architectural weakness / Data layer exploitation
Affected Entities	Individuals, families, executives, SMBs, MSPs, enterprises, financial institutions, healthcare organizations, government contractors
Primary Impact	Account takeover, wire fraud, ransomware initial access, executive impersonation, identity theft, credential-enabled data breach, OSINT-facilitated physical threat
Exploitation Method	AiTM proxy phishing (session cookie theft), SIM swapping, OSINT + social engineering, credential stuffing, data broker profiling, AI voice/video impersonation, account recovery abuse
Patch / Fix	No single software patch possible. Requires hardware-bound phishing-resistant MFA (FIDO2/WebAuthn), personal data exposure reduction, account recovery hardening, and behavioral awareness at the human layer
Recovery Method	Session revocation (not just password reset), credit freeze, carrier PIN/port freeze, MFA method upgrade, account recovery path audit, identity theft reporting via IdentityTheft.gov
Attribution	Organized criminal groups (BEC gangs, ransomware affiliates), individual opportunists, nation-state actors targeting executives and contractors, fraud-as-a-service operators
Confidence	High (methodology and feasibility) · High (active and escalating)

Background

The digital identity problem began with a design assumption that was never revisited: that the people communicating over digital networks could be trusted, because only the people you meant to reach had access to the identifiers you used. Email addresses were privately shared. Phone numbers were unlisted by default. Passwords were locally memorized. The threat model was natural failure — typos, forgotten passwords, wrong numbers — not adversarial exploitation.

That assumption collapsed gradually, then rapidly, across three converging trends.

The Data Broker Ecosystem

Beginning in the late 1990s and accelerating through the 2010s, a commercially legal ecosystem emerged that aggregated, enriched, and sold personal data at industrial scale. Data brokers collect information from public records (real estate transactions, voter registrations, court filings, business licenses), commercial data sources (purchase histories, credit header data, subscription records), and increasingly from real-time bidding (RTB) advertising exchanges, where location signals are broadcast billions of times daily. The FTC's December 2024 enforcement action against Gravy Analytics documented a company processing approximately 17 billion location signals per day from consumer devices, without meaningful user consent, then selling derived profiles segmented by sensitive attributes including medical conditions, religious attendance, political affiliation, and military status.

The result is that by the early 2020s, a threat actor with $20–30 and an internet connection could purchase a detailed personal profile of virtually any American: full name, date of birth, current and historical home addresses, phone numbers, email addresses, family relationships, estimated income, and employment history. This data is not stolen. It is purchased legally. The harm is not the result of a breach; it is the result of a business model.

The Credential Marketplace

Parallel to the data broker ecosystem, a credential marketplace emerged from two decades of data breaches. Large-scale breach events — including LinkedIn (2012, 117M credentials), Yahoo (2013–2014, 3B accounts), Equifax (2017, 147M individuals), and National Public Data (2024, ~2.9B records claimed) — deposited enormous volumes of personally identifiable information and password hashes into the hands of threat actors. Credential stuffing — the automated testing of username/password combinations across multiple services — became trivial. The 2025 Verizon DBIR documented stolen credentials as the initial access vector in 22% of all breaches, with account compromise surging 389% year-over-year.

The Authentication Gap

The industry response to credential theft was multi-factor authentication, and it was the right response to the wrong threat. SMS-based MFA — the dominant deployed form — protects against credential stuffing but not against SIM swapping, AiTM session hijacking, or social engineering. TOTP app-based MFA is stronger than SMS but remains vulnerable to AiTM phishing, where the attacker intercepts the one-time code in real time. The only authentication factor class that is architecturally immune to both SIM swap and AiTM is FIDO2/WebAuthn — hardware-bound, cryptographically signed, domain-scoped authentication — which CISA and NIST have formally endorsed as the target standard, but which remains underdeployed across the enterprise and almost entirely absent in consumer-facing contexts.

The Composite Attack Chain

What distinguishes this threat class from a single vulnerability is the layered, modular nature of modern identity attacks. Threat actors do not rely on a single technique; they assemble a chain of commercially available components, each one legal or borderline legal at the data acquisition stage, each one building on the last.

Passive Profiling — Data Broker Harvest

The attacker purchases or scrapes a detailed personal profile of the target from people-search sites and data brokers. Output: full name, date of birth, current/historical addresses, personal phone numbers, personal email addresses, family member names and contact information, employer, estimated income, and social media handles. Cost: $20–$40 via commercial platforms. No technical skill required. Data is legally acquired.

Credential Enrichment — Breach Dump Correlation

The profile is cross-referenced against leaked credential databases and breach aggregators. Password patterns, email variants, and previously used passwords are harvested. Common reuse patterns (password + birth year, pet name, address number) derived from the data broker profile are used for targeted guessing. Output: likely current passwords or password patterns for the target and their family members.

MFA Bypass — SIM Swap or AiTM Proxy

SIM Swap path: The attacker calls the target's mobile carrier using the profile data (billing address, account PIN if available from breach dumps) to social-engineer a SIM transfer. The phone number is ported to an attacker-controlled SIM. All SMS MFA codes and account recovery messages now route to the attacker. AiTM path: A phishing kit (Evilginx2, Modlishka, Typhoon 2FA) acts as a reverse proxy between the victim and the legitimate service. The victim authenticates fully — including completing their MFA challenge — while the kit captures the authenticated session cookie. The attacker imports the cookie into a fresh browser session and inherits an already-authenticated, already-MFA-verified session with no further authentication required.

Account Recovery Subversion

Recovery paths are the back door. Even where primary authentication is strong, account recovery mechanisms commonly fall back to SMS codes (now attacker-controlled via SIM swap), security questions (answers derivable from the data broker profile), or backup email addresses (potentially compromised in step 2). The attacker triggers a password reset on the primary account via the compromised recovery path, completing the takeover without needing the original password or MFA factor at all.

Lateral Expansion — Human and Organizational

With access to a primary email account (typically the master key to all downstream accounts), the attacker enumerates connected services, financial accounts, cloud storage, and organizational access. If the target has organizational access (Microsoft 365, Google Workspace, VPN), the attacker establishes persistence via inbox forwarding rules, OAuth consent grants, and MFA method changes — the classic BEC setup. For executives, the compromised account may be used to authorize fraudulent wire transfers or pivot laterally into cloud infrastructure.

AI-Enhanced Impersonation Layer

In higher-sophistication campaigns, voice cloning and video deepfake tools are applied to the profiled target. A convincing AI voice clone requires only a few minutes of publicly available audio (conference presentations, media interviews, LinkedIn voice features). In one documented 2025 case, a finance employee authorized a $25M wire transfer after attending a deepfake video call constructed entirely from publicly available executive footage. The data needed to build the attack — audio samples, photos, organizational context — was all publicly accessible before the attack began.

Structural Note

None of step 01 required a breach. The data broker ecosystem provides the profiling layer legally. None of step 03 (AiTM path) requires touching the target organization's network. None of step 06 requires any technical access. The entire attack chain can be assembled without triggering a single enterprise security control.

Affected Entities, Vectors, and Systems

Unlike a typical CVE with a fixed vendor and version scope, identity and privacy attacks affect any entity for which personal data is available and for which identity-based authentication is the primary access control.

Individuals and Families

The highest-exposure category by volume. Personal data is broadly available, authentication is typically SMS-based or password-only, and recovery paths typically rely on the same phone number already profiled. Elder fraud is the most financially damaging subcategory: FBI IC3 2025 data shows victims over 60 filed 201,000 complaints totaling $7.75 billion in losses — 37% of all reported cybercrime losses. AI voice clone scams, tech support fraud, and romance scams are the dominant vectors. The family attack surface also includes children's digital footprints (Social Security numbers used fraudulently before the child knows they have credit), home surveillance devices, and location sharing.

Small and Medium Businesses

SMBs face enterprise-grade threats — BEC, ransomware initial access, vendor impersonation, executive spear-phishing — without enterprise-grade security resources. Business Email Compromise was the second-largest category in FBI IC3 2025, with $3.05 billion in losses. Most BEC attacks begin with a compromised email account obtained via credential stuffing or AiTM phishing. SMBs also frequently have personal/business identity boundary failures: owners using personal email for business MFA, personal cloud storage mixing with business data, personal devices connecting to company systems without management.

Executives and High-Value Individuals

Executives are uniquely exposed because their professional visibility creates an enormous public data footprint. A data broker profile of a senior executive may include their full family structure, home address (including mortgage records), personal phone and email, travel patterns, board affiliations, and estimated net worth. Research in 2025 found that executives are 4× more likely than average employees to click on malicious links, because attackers use brokered profile data to craft highly personalized spear-phishing referencing actual colleagues, real projects, and genuine travel plans.

IT Administrators and MSP/MSSP Operators

The supply chain category. A compromised MSP administrator account provides access to all tenant environments managed by that MSP — potentially dozens or hundreds of SMB customers. Administrative accounts with standing privileges, no MFA, or SMS-based MFA are the highest-value target in any organizational identity attack. CISA has explicitly identified that AiTM campaigns which bypassed every other MFA type in 2024 and 2025 did not work against FIDO2 hardware-bound authentication.

MFA Method Vulnerability Matrix

MFA Method	SIM Swap	AiTM Proxy	MFA Fatigue	Social Engineering	NIST/CISA Classification
SMS / Voice OTP	Vulnerable	Vulnerable	Vulnerable	Vulnerable	Not phishing-resistant
TOTP App (Authenticator)	Protected	Vulnerable	Protected	Vulnerable	Not phishing-resistant
Push Notification (Duo, MSFT)	Protected	Conditional	Vulnerable	Vulnerable	Not phishing-resistant
FIDO2 Hardware Key (YubiKey)	Protected	Protected	Protected	Protected	Phishing-resistant · AAL3
Passkey (Synced, platform)	Protected	Protected	Protected	Partial	Phishing-resistant · AAL2
Smart Card / PIV / CBA	Protected	Protected	Protected	Protected	Phishing-resistant · AAL3

NIST SP 800-63B-4 / CISA Secure by Demand guidance, 2024. AiTM conditional for push = number matching reduces but does not eliminate risk.

EU & International Regulatory Landscape

While US regulatory frameworks (PADFAA, CISA guidance, OMB M-22-09, FTC Section 5) have defined the operational baseline for identity and privacy threat mitigation in North America, the EU and UK have developed a parallel — and in several dimensions more prescriptive — regulatory architecture. For multinational organizations, MSPs with European clients, and executives with cross-border exposure, understanding both frameworks is an operational necessity, not a compliance exercise.

GDPR — The Foundational Identity and Privacy Control Layer

The General Data Protection Regulation (GDPR), in force since May 2018, is the world's strongest data protection law in terms of fine structure and extraterritorial reach. It applies to any organization that processes personal data of EU individuals, regardless of where that organization is located. Fines scale to up to €20 million or 4% of global annual turnover, whichever is higher, for the most severe violations. As of March 2026, European supervisory authorities have levied over €7.1 billion in cumulative GDPR fines since 2018.

Critically for identity and privacy threat analysis, GDPR frames identity security as a legal obligation, not merely a best practice. Article 32 requires controllers and processors to implement "appropriate technical and organisational measures" including pseudonymisation and encryption; Article 33 mandates a 72-hour breach notification window to the supervisory authority; and Article 17 — the "right to be forgotten" — creates an enforceable individual right to erasure that directly implicates the data broker ecosystem. In 2025, the EDPB's coordinated enforcement action on the right to erasure found that 764 controllers across Europe showed systematic deficiencies in processing deletion requests — directly relevant to personal data exposure.

€530M

Largest GDPR fine in 2025: Irish DPC vs. ByteDance (TikTok) for unlawful international data transfers

DLA Piper GDPR Survey / Irish DPC, April 2025

€7.1B

Cumulative GDPR fines since May 2018 across all EU/EEA jurisdictions

CMS GDPR Enforcement Tracker, March 2026

443/day

Average personal data breach notifications per day in the EU — a record high, up 22% from 2024

DLA Piper GDPR Survey, January 2026

764

EU controllers across 32 DPA jurisdictions found deficient in right-to-erasure compliance in the 2025 EDPB coordinated action

EDPB CEF Report, February 2026

NIS2 — Authentication and Identity as Critical Infrastructure Law

The NIS2 Directive, which EU member states were required to transpose into national law by October 17, 2024, is the EU's primary binding cybersecurity law for critical infrastructure and essential services. NIS2 is directly relevant to identity security because it mandates specific authentication and access management controls with legal force — and crucially, it makes senior management personally liable for infringements.

NIS2 Article 21 requires covered entities to implement "multi-factor authentication or continuous authentication solutions" and "secured voice, video and text communications, and secured emergency communication systems." For essential entities (energy, transport, healthcare, digital infrastructure, banking), violations carry fines up to €10 million or 2% of global annual turnover. For important entities, fines reach €7 million or 1.4% of turnover. Unlike GDPR, where fines target the organization, NIS2 includes direct personal liability for C-level executives — a development that directly changes the risk calculus for identity security investment decisions at the board level.

NIS2 Identity Requirements at a Glance

Mandatory under NIS2 Article 21 for essential and important entities:

— Multi-factor authentication or continuous authentication for all users including privileged accounts and remote access
— Access control with least-privilege enforcement
— Identity and access lifecycle management (registration, approval, deprovisioning)
— Policies for authentication of subcontractors and supply chain identities
— Regular access audits with documented evidence
— Personal management liability: supervisory bodies can hold management personally liable for non-compliance

EU AI Act — Deepfakes, Biometrics, and the Impersonation Threat

The EU AI Act, the world's first comprehensive AI regulatory framework, introduces a set of obligations that directly intersect with identity and privacy threats. Article 50 mandates that deployers of AI systems generating synthetic audio, images, or video constituting a deepfake must disclose that the content is artificially generated. Providers of AI systems generating such content must ensure outputs are marked in a machine-readable format detectable as AI-generated. These obligations apply to the operators deploying AI generation tools — not the malicious actors using them — but they create a legal standard against which legitimate impersonation detection systems can operate.

Simultaneously, the EU AI Act restricts real-time remote biometric identification in public spaces to narrow law enforcement exceptions, and explicitly prohibits AI systems that "exploit any of the vulnerabilities of a specific group of persons" or use subliminal manipulation — provisions that, in the enforcement guidance that follows, are likely to be applied to AI-enabled social engineering at scale. High-risk AI applications involving biometric identification or categorisation have compliance deadlines that were delayed by EU Parliament vote in March 2026 — pushed from August to December 2027 — reflecting the complexity of operationalizing the biometrics regulation.

ENISA Threat Landscape 2025 — EU Perspective on Identity Threats

ENISA's Threat Landscape 2025, covering 4,875 EU cyber incidents from July 2024 to June 2025, documents that phishing remains the dominant initial intrusion method, accounting for 60% of observed cases, with AI-supported phishing campaigns representing over 80% of all observed social engineering activity globally by early 2025. The ENISA report notes that info-stealers — tools that facilitate credential theft, session hijacking, and access brokering — are now the primary technical enabler of the broader identity attack economy. The Lumma info-stealer was assessed as the most prevalent info-stealer in the EU since the beginning of 2025.

ENISA ETL 2025 also documents the industrialisation of phishing through Phishing-as-a-Service platforms — including the Darcula platform, which enables operators of all skill levels to impersonate hundreds of organisations simultaneously. This aligns precisely with the AiTM infrastructure analysis covered in the Technical Overview section — but the ENISA data confirms the same tooling is being deployed at scale against EU organisations and public administrations, not only US targets.

EDPB 2026 Enforcement — Transparency as Identity Control

The EDPB's 2026 coordinated enforcement action, launched March 19, 2026, focuses on transparency and information obligations under GDPR Articles 12, 13, and 14 — the requirement that individuals are informed when and how their data is being processed. This directly implicates data brokers operating in Europe. A data broker that aggregates personal data for resale without satisfying GDPR's lawful basis requirements, or that fails to provide adequate transparency to data subjects, is in direct violation of the same GDPR articles that the EDPB is actively coordinating enforcement action on across 27 member states in 2026.

For organizations managing European operations or EU-resident client data, the EDPB 2026 action signals that the regulatory parallel to PADFAA in the US is arriving in the EU via the GDPR transparency enforcement sweep — targeting the data processing opacity that enables the commercial identity data ecosystem.

UK Post-Brexit: ICO and the Data (Use and Access) Bill

The UK's Information Commissioner's Office (ICO) continues to enforce the UK GDPR (a retained version of EU GDPR post-Brexit) with fines up to £17.5 million or 4% of global turnover. The UK Data (Use and Access) Bill, progressing through Parliament in 2025–2026, proposes to modernize the UK's data protection framework, including clarifications on legitimate interests for commercial data processing — a provision that privacy advocates have flagged could weaken some of the data broker restrictions that the EU maintains. The divergence in US, EU, and UK approaches to commercial personal data creates a fragmented international landscape where data flows freely across jurisdictions with inconsistent protections.

Regulatory Comparison

Framework	Jurisdiction	Max Penalty	Identity/MFA Mandate	Data Broker Controls	AI/Deepfake Rules	Status (May 2026)
GDPR	EU / EEA	€20M or 4% global turnover	Article 32 (appropriate measures)	Articles 6, 17 (lawful basis, erasure)	AI Act separate	Fully enforced since 2018; CEF 2026 active
NIS2 Directive	EU / EEA	€10M or 2% turnover (essential); management personal liability	Article 21: MFA mandatory for essential entities	Indirect (supply chain)	—	Transposition deadline Oct 2024; active enforcement
EU AI Act	EU / EEA	€35M or 7% turnover (prohibited AI)	—	Biometric processing restrictions	Article 50: deepfake disclosure mandatory	In force; biometrics deadline extended to Dec 2027
PADFAA	United States	$53,088/violation	—	Prohibits sale to foreign adversary entities	—	In force Jun 2024; 13 warning letters Feb 2026
FTC Section 5	United States	Civil penalties; injunctive relief	—	Unfair/deceptive practices standard	—	Active; Gravy Analytics action Dec 2024
UK GDPR / ICO	United Kingdom	£17.5M or 4% global turnover	Article 32 equivalent	Lawful basis, erasure rights	—	Active; Data Use & Access Bill in progress
California Delete Act (CCPA)	California, US	$200/day unregistered + fees	—	DROP (single opt-out request) platform live Jan 2026	—	DROP operational Jan 2026; active enforcement

Technical Overview

AiTM Phishing — Session Cookie Theft

Adversary-in-the-Middle phishing does not fake a login page. It proxies a real one. When a victim clicks a convincing phishing link, their browser is directed to an attacker-controlled server running a reverse proxy framework — Evilginx2, Modlishka, or a commercial PhaaS kit such as Typhoon 2FA. The proxy fetches the real login page from the legitimate service (Microsoft 365, Google, a banking portal) and serves it to the victim without modification — pixel-perfect, with a valid TLS certificate on a lookalike domain.

The victim enters their credentials and completes their MFA challenge. The proxy intercepts all of this in transit, forwards it to the real service, receives the authenticated response, and returns it to the victim. The victim sees their normal dashboard. Behind the scenes, the proxy has captured the authenticated session cookie and authentication token. The attacker imports these into a fresh browser session and is now logged in with full, MFA-verified access — without knowing the password, without possessing the MFA device, and without triggering any visible authentication event.

Why FIDO2 is the architectural break: The FIDO2/WebAuthn protocol cryptographically binds authentication to a specific origin (domain). When the victim's browser attempts FIDO2 authentication through an AiTM proxy, the browser sees that the actual domain does not match the registered domain for the passkey or hardware key. The authentication fails because the cryptographic protocol refuses to produce a valid credential for an unregistered domain. The attacker gains nothing from the intercepted session.

SIM Swap — The Phone Number Attack Surface

Phone numbers were designed for telecommunications, not for identity verification. A SIM swap requires the attacker to convince a mobile carrier's customer service representative to transfer a phone number to a new SIM. The information needed is frequently derivable from a data broker profile: full name, billing address, date of birth, and sometimes the last four digits of a Social Security number. Once the SIM is swapped, all SMS messages — including MFA codes and account recovery messages — route to the attacker. The legitimate owner's phone loses service. Every account using SMS MFA or listing this phone as a recovery method is now compromised.

OSINT and Data Broker Exploitation

Attackers aggregate from sources that are, individually, innocuous: LinkedIn for professional context, Facebook/Instagram for family relationships and location data, property records for home address, voter registration for residential history, and data broker sites that have already aggregated all of the above. The FTC's December 2024 enforcement against Gravy Analytics documented ~17 billion location signals per day collected from mobile devices via advertising exchange bid requests — data sold in enriched form segmented by sensitive inferred attributes including medical conditions, religious attendance, and political affiliation.

Account Recovery — The Architectural Back Door

Account recovery is the most consistently overlooked element of identity security architecture. An account with a strong password and hardware FIDO2 MFA is fully exposed if the recovery path falls back to an SMS code sent to a SIM-swappable number. The five failure modes observed across incident response cases:

SMS fallback recovery: Accounts with TOTP MFA frequently offer SMS as a backup recovery channel, which can be compromised via SIM swap.
Backup email address compromise: Recovery emails are frequently personal email addresses with weaker authentication than the primary account being protected.
Security questions: Answers to "mother's maiden name," "city of birth," "childhood street" — all derivable from a data broker profile within minutes.
Session persistence after AiTM: Sessions that do not expire, or that survive password resets, allow a stolen session cookie to maintain access indefinitely unless actively revoked.
Break-glass accounts: Administrative accounts created for emergency access, frequently left without rotation, sometimes still accessible via credentials that have appeared in breach dumps.

CISA / NIST Guidance

CISA's Secure by Demand guidance (2024) and NSA/CISA joint advisory specify that only FIDO2/WebAuthn and Smart Card/PIV authentication are phishing-resistant. NIST SP 800-63B-4 (2024) confirms that synced passkeys satisfy AAL2 and device-bound passkeys satisfy AAL3. OMB Memo M-22-09 requires phishing-resistant MFA across US federal agencies — the policy baseline that commercial enterprises should treat as a minimum target.

Impact

Operational Impact

Financial Loss: The FBI IC3 2025 report documented $3.05 billion in BEC losses, $2.1 billion in tech support scams, and $7.75 billion in losses to victims over 60. Total cybercrime losses reached $20.9 billion — a 400% increase from $4.2 billion in 2020. AI-enabled scam complaints exceeded 22,000 with over $893 million in attributed losses.

Reputational and Relationship Impact: Executive impersonation campaigns damage professional relationships through fraudulent communications sent from compromised accounts. AI voice clone scams damage family trust and erode confidence in communication systems. Elder fraud victims frequently experience shame and delayed reporting, which reduces recovery options significantly.

Forensic Degradation: AiTM attacks that steal session cookies leave no malware artifacts on endpoints. SIM swap attacks leave no digital forensic trail in the target's environment. The attack path exists in carrier records, browser session logs (if preserved), and identity provider sign-in logs — not in the places where traditional security monitoring operates.

Security Impact

Perimeter Bypass: The defining operational characteristic. An attacker who has profiled a target, obtained credentials via breach dump, bypassed MFA via SIM swap or AiTM, and established session persistence has not interacted with the target organization's network security controls at any point. The compromise exists entirely in the identity and session layer, upstream of enterprise security monitoring.

Trust Inversion: Once a session cookie or persistent authentication token is compromised, the identity provider treats all activity from that session as legitimate. Actions taken — inbox forwarding rules created, OAuth consents granted, new devices enrolled, privileged roles activated — appear as normal, authenticated user activity. Detecting this requires behavioral monitoring of identity provider logs, not network or endpoint telemetry.

Cascading Access: Email account compromise functions as a master key. The primary email address is typically the recovery channel for financial accounts, the authentication identity for cloud services, the inbox for security alerts, and the registered address for every downstream service. A single compromised primary email account can cascade into complete financial identity takeover within minutes.

National Security Dimension

The PADFAA dimension adds a national security layer that was not present in earlier identity threat frameworks. The Protecting Americans' Data from Foreign Adversaries Act, effective June 24, 2024, prohibits data brokers from selling personally identifiable sensitive data of US individuals to entities controlled by foreign adversary countries (China, Iran, North Korea, Russia). The FTC's February 2026 warning letters to 13 data brokers — specifically citing offerings that include information on the military status of US individuals — represent the first formal regulatory acknowledgment that the commercial data broker ecosystem constitutes a foreign intelligence risk vector, not merely a privacy concern. A military contractor's home address, family relationships, financial status, and movement patterns — all commercially available from data brokers — constitute a foreign intelligence collection asset.

What This Is Not

A network breach

Attackers do not need to penetrate firewalls or exploit software vulnerabilities. The attack begins in the data layer and executes at the identity layer.

A malware problem

No malicious code executes on any endpoint in the core attack chain. AiTM session theft and SIM swap leave no malware artifacts. EDR and antivirus provide zero protection.

A patchable vulnerability

There is no CVE, no software update, and no vendor patch that addresses this threat class. Mitigation requires architectural changes to authentication, recovery paths, and data exposure posture.

A consumer problem only

BEC losses alone totaled $3.05B in 2025. Ransomware initial access frequently begins with a compromised personal account. Every employee with a personal digital identity is an organizational attack surface.

Solvable with awareness training alone

Awareness reduces susceptibility but does not address architectural weaknesses. An employee who "knows about phishing" remains vulnerable to a pixel-perfect AiTM proxy page if FIDO2 is not deployed.

A closed or historical event

Identity threat detections increased 850% from 2024 to 2025. The data broker ecosystem has grown. AiTM kits are commoditized. AI impersonation tools are increasingly accessible. The trajectory is actively worsening.

Evidence and Source Notes

Evidence Type	Source	Date	Relevance	Confidence
Government Statute	PADFAA	June 2024	Formal recognition of data broker ecosystem as a national security risk vector	High
Regulatory Enforcement	FTC v. Gravy Analytics / Venntel	December 2024	Documents ~17B location signals/day processed without meaningful consent; sensitive attribute targeting	High
Regulatory Enforcement	FTC PADFAA Warning Letters to 13 Data Brokers	February 2026	First formal enforcement acknowledgment of foreign adversary data access risk; $53,088/violation penalty	High
Government Guidance	CISA Secure by Demand Guide (CISA + FBI)	2024	Establishes phishing-resistant MFA (FIDO2/passkeys) as procurement requirement; defines AAL standards	High
Government Guidance	NIST SP 800-63B-4 supplemental guidance on synced passkeys	2024	Confirms synced passkeys meet AAL2; device-bound passkeys meet AAL3	High
Annual Crime Report	FBI IC3 Annual Report 2025	April 2026	$20.9B cybercrime losses; BEC $3.05B; SIM swap in top 5 threat categories; 1M+ complaints	High
Threat Detection Data	Red Canary Threat Detection Report 2026	March 2026	Identity threats increased 850% YoY; 53% of all confirmed detections in 2025	High
Technical Analysis	Cisco Talos — State-of-the-Art Phishing: MFA Bypass	April 2025	Technical analysis of AiTM tooling, Evilginx2 mechanics, session cookie theft methodology	High
Technical Analysis	ThreatHunter.ai — CISA Got It Partially Right	March 2026	FIDO2 as architectural break; PIM + Authentication Context; no standing GA roles	High
Industry Research	GBI Impact — Executive Exposure (2025)	2025	Executive 4x click rate; deepfake $25M wire fraud case; OSINT-enabled targeting patterns	High
Industry Research	mePrism — Data Brokers and Identity Theft (2025)	2025	TransUnion breach July 2025 (4.4M); National Public Data resurgence; AI-enhanced social engineering at scale	Medium/High
Internal Notes	Deretti Lab Blog Archive (2022–2023)	2022–2023	Original philosophical and practical privacy/identity framing; foundational research DNA for this section	Medium/High

Evidence is organized by proximity to the operational threat. Government statute and regulatory enforcement establish the legal and policy baseline. Annual crime reports provide scale and trend data. Threat detection reports provide operational threat landscape context. Technical analyses document specific attack mechanics. Internal notes preserve the foundational research perspective connecting philosophical privacy framing to operational security practice.

Remediation

Remediation for this threat class is architectural, not symptomatic. A single MFA upgrade or data broker opt-out does not close the exposure; the entire identity security stack — authentication, recovery paths, data exposure, behavioral awareness — must be addressed in a layered, prioritized sequence.

Immediate · 0–24 Hours

Stabilize Critical Paths

Secure primary email first. The primary email is the master key. Enable the strongest available MFA. Remove SMS as a backup option if possible.
Set a carrier account PIN and request a number porting freeze. Primary SIM swap mitigation; takes under 10 minutes.
Freeze credit at all three bureaus (Experian, TransUnion, Equifax). Free under federal law. Prevents fraudulent account opening.
Check HaveIBeenPwned for email address exposure across known breach datasets.
Organizational: Review Entra ID / Google Workspace sign-in logs for AiTM indicators — sessions from unexpected locations, unusual OAuth consents, inbox forwarding rules.

Short-Term · 1–7 Days

Upgrade Authentication

Deploy a password manager. Eliminate credential reuse. Generate unique credentials for every service.
Audit MFA methods. Replace SMS with TOTP at minimum; target FIDO2/passkeys for email, financial, and cloud accounts.
Audit account recovery paths. Remove security questions. Ensure recovery email has strong MFA. Document break-glass credentials.
Enumerate personal data exposure. Search your name on people-search sites. Begin opt-out requests or engage a removal service (DeleteMe, Kanary).
SMB admins: Audit all admin accounts. Remove standing Global Admin privileges. Confirm break-glass accounts are documented and not in breach datasets.

Medium-Term · 1–4 Weeks

Harden Identity Infrastructure

Deploy FIDO2 hardware keys (YubiKey or equivalent) for all privileged accounts. The single most effective mitigation against AiTM for high-value accounts.
Implement passkeys for consumer-facing accounts. Major platforms (Google, Apple, Microsoft) now support passkeys as primary authentication.
Deploy Entra ID Conditional Access requiring compliant device and phishing-resistant MFA for privileged operations. Enable PIM to eliminate standing GA roles.
Establish a secondary phone number (Google Voice or VoIP) for low-trust registrations. Protect your real mobile number.
Conduct a family identity security briefing. Establish a family verification phrase. Walk through the AI voice clone scam pattern.

Long-Term · 1–6 Months

Architectural Resilience

Achieve full FIDO2 coverage across all privileged organizational accounts. Eliminate SMS and TOTP as options for admin roles and financial systems.
Establish personal/business account separation. No personal email as recovery path for business accounts. No personal devices as MFA without device management.
Continuous data exposure monitoring. Personal data reappears after removal. Set up monitoring for email/name combinations across new breach datasets.
Add identity theft response to organizational IR playbooks. Include session revocation workflows, carrier escalation paths, and IdentityTheft.gov reporting. Most current IR plans do not address personal identity attacks as organizational risk.
For executives: Engage executive digital privacy protection including comprehensive data broker removal, social media exposure audit, and AI impersonation monitoring.

Critical Recovery Note

After an AiTM compromise: reset the password AND revoke all active sessions. Password reset alone does not invalidate stolen session cookies. An attacker holding a captured session token remains authenticated after a password change unless the session is explicitly revoked. Entra ID: Revoke Sign-In Sessions. Google: "Sign out of all devices." This is the most commonly missed step in post-AiTM incident response.

Timeline

2013

Credential theft industrialization

LinkedIn breach (117M credentials), Adobe breach. Credential marketplace begins to scale. Password reuse exploitation via credential stuffing becomes automated and industrialized.

2014–2017

Breach accumulation and SIM swap emergence

Yahoo breach (3B accounts, disclosed 2016). Equifax breach (2017, 147M Americans including SSN/DOB/address — the most complete personal profile dataset ever created for attackers). First documented large-scale SIM swap campaigns targeting cryptocurrency holders.

2019–2020

AiTM phishing infrastructure emerges

Evilginx2 transitions from red-team tool to criminal infrastructure. First documented enterprise-scale AiTM campaigns targeting Microsoft 365 and financial institutions. SIM swap losses reported to FBI IC3 begin rising sharply.

2022

CISA / NSA phishing-resistant MFA advisory

CISA and NSA publish joint guidance identifying FIDO2/WebAuthn as the target standard. OMB Memo M-22-09 requires phishing-resistant MFA across US federal agencies — first formal mandate acknowledging TOTP and SMS are inadequate for high-value accounts.

2023

AI impersonation tools democratize

Voice clone tools capable of convincing impersonation from 3–5 minutes of audio become commercially available. First documented grandparent AI voice clone scams at scale. Deepfake video used in BEC context. NIST begins passkey AAL guidance revision.

Jun 2024

PADFAA comes into effect

Protecting Americans' Data from Foreign Adversaries Act effective. Data brokers prohibited from selling sensitive personal data to entities controlled by China, Iran, North Korea, or Russia. First formal legal recognition that the commercial data broker ecosystem constitutes a foreign intelligence risk.

Aug 2024

CISA Secure by Demand — passkeys as procurement requirement

CISA and FBI release Secure by Demand guide requiring passkeys by default as a software procurement criterion. NIST supplemental guidance confirms synced passkeys at AAL2.

Dec 2024

FTC v. Gravy Analytics enforcement action

FTC proposes settlement against Gravy Analytics and Venntel for selling sensitive location data without meaningful consent. Parallel action against Mobilewalla. First major FTC enforcement directly addressing the real-time location data broker business model.

Feb 2026

FTC PADFAA warning letters — 13 data brokers

FTC sends formal warning letters to 13 data brokers citing PADFAA obligations, specifically referencing offerings that include military status of US individuals. Up to $53,088/violation. Signals imminent enforcement sweep.

2025–2026

Identity threat dominance — current state

Red Canary: identity threats up 850%, now 53% of all detections. FBI IC3: $20.9B losses, BEC $3.05B, SIM swap in top 5 threats. TransUnion breach July 2025 (4.4M Americans). AI-enabled scam complaints exceed 22,000 with $893M+ in losses. The threat class continues to accelerate.

Indicators, Artifacts, and Detection Notes

Traditional IT indicators of compromise (IP addresses, file hashes, malware signatures) do not apply to identity-layer attacks. Detection requires telemetry from identity provider logs, carrier records, and behavioral monitoring of authentication patterns.

Type	Indicator / Observable	Notes
Identity Provider Log	Authentication from unexpected geography immediately following normal-geography authentication	Classic AiTM indicator: victim authenticates from home IP; attacker replays session from VPS within seconds
Identity Provider Log	MFA method change events not initiated by user	Post-compromise persistence: attacker enrolls their own MFA device after initial access
Identity Provider Log	OAuth app consent grants for unfamiliar applications	Persistent access method: attacker grants own app read/write access to survive password reset
Identity Provider Log	New inbox rules (especially forward-all or delete-on-arrival)	BEC persistence and alert suppression: attacker forwards copies to external address; deletes security notifications
Carrier / Phone	Sudden loss of cellular service while accounts appear active elsewhere	SIM swap indicator: device loses signal while account shows activity from a different device
Carrier / Phone	Unexpected password reset SMS messages not initiated by the user	Attacker triggering resets via compromised SIM before the victim realizes the swap has occurred
Email Header / URL	Lookalike domain in phishing link (e.g., login-microsoftonline-support.com)	AiTM domains are often newly registered, TLS-enabled, with slight character substitution or added words
Financial	Credit inquiry notifications for accounts you did not open	Identity theft indicator: attacker using profiled data to open fraudulent credit lines
OSINT / Passive	Personal information appearing on people-search sites beyond what you submitted	Indicator that your data is in the commercial ecosystem and accessible to threat actors for profiling

Detection Logic

Detection requires monitoring the delta between expected and actual identity behavior. A session that authenticates from a known home IP and then shows activity from a cloud VPS 30 seconds later is an AiTM indicator — if you are monitoring for it. Most consumer platforms do not surface this in real time; enterprise identity providers (Entra ID, Google Workspace) do, if sign-in risk policies and behavioral anomaly alerts are configured.

For accounts where FIDO2 is not yet deployed, the practical detection layer is: (1) identity provider sign-in log monitoring with alerting on new locations, new devices, and MFA changes; (2) active session review and regular revocation; (3) credit monitoring and account alert configuration for financial accounts; (4) carrier account monitoring for unexpected SIM or porting activity.

Tooling References

HaveIBeenPwned (haveibeenpwned.com): Email and phone number exposure check against known breach datasets. API available for organizational monitoring.
IdentityTheft.gov (FTC): Structured identity theft recovery workflows. The authoritative resource for personal identity compromise cases.
Entra ID Sign-In Logs / Risky Sign-Ins: Primary detection surface for AiTM and credential-based attacks in Microsoft 365 environments.
Google Account Security Checkup: Active session review, device enumeration, third-party app access audit.
Privacy removal services (DeleteMe, Kanary, Privacy Bee): Systematic data broker opt-out automation addressing the ongoing reappearance problem.
MITRE ATT&CK Techniques: T1078 (Valid Accounts), T1557.002 (AiTM), T1621 (MFA Request Generation/Fatigue), T1539 (Steal Web Session Cookie), T1534 (Internal Spearphishing).

Infrastructure Defense Lessons

1. What defenders should remember

Privacy and identity are not separate disciplines. Privacy defines what can be known about a person; identity determines what others can do as that person. When personal data is commercially available and authentication factors are interceptable, the two problems become one. The phone number is not an identity system. The email address is not an authentication factor. These design assumptions were made for convenience in a non-adversarial environment. They have been fully disproven by the current threat landscape.

2. What organizations consistently underestimate

The blast radius of personal exposure. Most organizations model their threat surface as the organizational network perimeter. They do not model the personal digital exposure of their executives, their admins, or their employees — but attackers do. An executive whose home address, personal email, and family structure are available from data brokers is an organizational attack surface, not just a personal risk. The BEC campaign that begins with the CEO's personal Gmail account does not appear on the corporate threat model until it is already in progress.

The other consistently underestimated factor is the gap between "has MFA" and "is protected." Organizations that have checked the MFA compliance box via SMS OTP have not resolved their AiTM or SIM swap exposure. They have created false confidence that may, in practice, be more dangerous than no MFA at all — because it removes the urgency to address the remaining vulnerability.

3. What held up well

Hardware-bound FIDO2 authentication. The AiTM campaigns that compromised every other MFA type in 2024 and 2025 did not compromise FIDO2. The domain binding mechanism — the cryptographic tie between the authenticator and a specific registered origin — is the architectural break that AiTM cannot route around. Organizations that deployed FIDO2 hardware keys for privileged accounts before the major AiTM escalation were functionally immune to that attack vector.

Credit freezes applied proactively — not reactively after loss — prevented fraudulent account opening in cases where personal data was already exposed. The freeze is a preventive architectural control that closes the financial identity opening without requiring the victim to first suffer harm.

4. What failed or became fragile

SMS as the universal authentication fallback. Carriers were not designed to be identity providers and do not have the fraud detection infrastructure appropriate to that role. The SIM swap attack is a social engineering attack against carrier customer service — a layer that enterprise security programs have no visibility into and no ability to harden directly.

Security questions. The entire knowledge-based authentication paradigm — mother's maiden name, childhood pet, elementary school — is a data broker lookup, not a security control. These should be treated as already-compromised for any user whose personal information appears in the commercial data ecosystem.

5. What this changed in practice

It forced a shift from perimeter-centric to identity-centric security architecture. The CISA/NSA phishing-resistant MFA guidance, OMB M-22-09, and NIST SP 800-63B-4 collectively represent the policy acknowledgment that identity is the new perimeter, and that authentication mechanisms protecting critical systems must be architecturally resistant to interception — not merely to unauthorized knowledge of a password.

It also drove the emergence of personal digital privacy as an operational security discipline. Executive protection programs now routinely include digital footprint reduction, data broker removal, and personal account hardening alongside physical security protocols. The recognition that an executive's home address and family relationships constitute an organizational attack surface — not merely a personal inconvenience — is the most significant conceptual shift in how this threat class is understood at the institutional level.

Key Takeaways

Perimeter Bypass Is Structural

AiTM phishing and SIM swap achieve account compromise without touching organizational network controls. The attack surface is the human and their identity infrastructure, not the IT perimeter.

Data Brokers Are Passive Attack Infrastructure

The profiling layer is commercially available before any attack begins. Legal purchase provides the same intelligence that previously required active reconnaissance or breach access.

MFA Is Not Monolithic

SMS and TOTP OTP do not protect against AiTM or SIM swap respectively. Only FIDO2/WebAuthn and Smart Card/PIV are architecturally phishing-resistant per CISA and NIST.

Recovery Paths Are the Real Attack Surface

The weakest link in an account's security is its recovery path. A FIDO2-protected account with an SMS recovery option has effectively SMS-level security.

Session Revocation, Not Just Password Reset

After AiTM compromise, session tokens survive password resets. Revoke all active sessions explicitly. This is the most commonly missed step in post-compromise recovery.

Personal and Organizational Risk Are Connected

An executive's personal digital exposure is an organizational attack surface. A data broker profile of the CFO is the first step in a BEC campaign, not merely a personal privacy matter.

AI Has Changed the Scale Problem

Voice cloning and deepfake tools have lowered the per-target cost of social engineering dramatically. A $25M wire fraud required no technical system access — only publicly available video and audio of the executives.

Active and Escalating

850% increase in identity threat detections from 2024 to 2025. $20.9B in cybercrime losses. PADFAA enforcement ramping. This is not a historical event. The trajectory is actively worsening.

References

1.
FBI Internet Crime Complaint Center (IC3) — 2025 Internet Crime Report (April 2026).
2.
Red Canary — Threat Detection Report 2026: Identity Attacks (March 2026).
3.
Wiley Law — FTC Sends Warning Letters to Data Brokers on PADFAA Compliance (February 2026).
4.
Alston Privacy — FTC Sends Letters Reminding Data Brokers of Their Obligations under PADFAA (February 2026).
5.
FTC / EPIC — FTC v. Gravy Analytics / Venntel and Mobilewalla (December 2024).
6.
CISA / FBI — Secure by Demand Guide: Phishing-Resistant Authentication / Passkeys by Default (August 2024).
7.
NIST — SP 800-63B-4 Supplemental Guidance on Synced Passkeys (AAL2/AAL3 classification) (2024).
8.
FIDO Alliance — NIST Cites Phishing Resistance of Synced Passkeys (2024).
9.
Cisco Talos — State-of-the-Art Phishing: MFA Bypass (April 2025).
10.
ThreatHunter.ai — CISA Got It Partially Right — FIDO2 as the Architectural Break for AiTM (March 2026).
11.
EBAS — OSINT and Identity Theft: When Publicly Available Data Become a Danger (February 2026).
12.
GBI Impact — Executive Exposure: How Publicly Available Personal Data Endangers Cybersecurity (2025).
13.
mePrism — How Data Brokers Fuel Identity Theft and Cybercrime in 2025.
14.
Verizon — 2025 Data Breach Investigations Report (DBIR). Stolen credentials in 22% of breaches; account compromise +389% YoY.
15.
OMB Memorandum M-22-09 — Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.
16.
Protecting Americans' Data from Foreign Adversaries Act (PADFAA), Public Law 118-50 (June 2024).
17.
Deretti Cyber Labs Blog Archive — A Philosophical Take on the Right to Privacy (July 2022); Our Personal Data Is a Goldmine for Cybercriminals (October 2023). Origin material for this research section.
18.
DLA Piper — GDPR Fines and Data Breach Survey: January 2026. €1.2B fines in 2025; 443 breach notifications/day; €7.1B cumulative since 2018.
19.
ENISA — Threat Landscape 2025 (October 2025). 4,875 EU incidents; phishing 60% of initial intrusions; AI-supported social engineering 80%+ of observed activity.
20.
EDPB — CEF Report: Right to Erasure (February 2026). 764 controllers assessed; seven recurring non-compliance challenges identified across 32 DPA jurisdictions.
21.
EDPB — CEF 2026: Coordinated Enforcement on Transparency and Information Obligations (March 2026). GDPR Articles 12–14 enforcement sweep; launched March 19, 2026.
22.
EU AI Act — Article 50: Transparency Obligations for AI-Generated Content. Deepfake disclosure mandatory; biometric processing restrictions; machine-readable watermarking required.
23.
European Parliament — EU Parliament votes to extend high-risk AI / biometrics compliance deadline to December 2027 (March 2026).
24.
Intercede / HID Global — NIS2 Authentication Requirements Analysis. Article 21 MFA mandate; management personal liability; essential entity fine structure up to €10M or 2% global turnover.
25.
California Privacy Protection Agency (CalPrivacy) — Delete Act Enforcement Advisory No. 2025-01 (December 2025). DROP (Delete Request and Opt-Out Platform) operational January 1, 2026.