Every day, cybercriminals claim dozens of data thefts.
Even when some ads turn out to be falsified or misleading, their media and reputational effects have already spread.
Data theft can be defined as stealing digital information stored on computers, servers or electronic devices usually with the aim of obtaining confidential information or compromising its confidentiality. This may include the theft of personal data (last name, first name, telephone number, email address), customer and employee data (commercial or salary information, personnel numbers, etc.), internal documents, intellectual property, etc.
Data, and particularly personal data, has become the new black gold. They are sought after by a number of actors, many of them malicious, who are ready to use increasingly sophisticated stratagems to gain access and exploit them.
With the daily use of the Internet by a large part of the world’s population (71% in 2025 according to the ITU), new generations are increasingly aware of attack patterns and the issue of data protection is no longer reserved for IT experts alone, it is becoming a collective issue.
As a result, data theft is now a recurring topic in the press, with media coverage often giving the impression of a permanent and uniform increase in the threat. A gap is then created between a perception resulting from media logic, often based on sensationalism, and a more concrete and operational reality, in which cybersecurity analysts, accustomed to the constant and daily flow of data, can sometimes tend to minimize their impact.
What could be the consequences of this discrepancy?
Data leaks are cybersecurity topics that are particularly accessible to the general public, because they have an immediate and concrete impact, and do not require technical knowledge. Certain public speeches tend to present these events from an exceptional angle, highlighting elements perceived as spectacular (large volume, alarming formulations), while sometimes leaving the technical context, temporality or real value of the data concerned in the background. This way of presenting information frequently favors the most visible and immediate aspects, to the detriment of a more nuanced and in-depth analysis of the incident.
In June 2025, a massive theft of 16 billion identifiers was revealed by the specialized press. The headlines are creating widespread panic, prompting many customers to contact their cybersecurity providers. However, after investigation, it turns out that this data came from various sources already available online, grouped together in a “combolist”. An analysis led by Troy Hunt reduced the impact by specifying that only 3 billion identifiers were unique.
Some cybercriminals, seeking to create buzz, send samples of stolen data directly to the media, causing confusion and panic. Because security experts cannot validate this information, it becomes difficult to measure the legitimacy and extent of the compromise. Vincent Strubel, Director of ANSSI, emphasizes that there is often an “overlay of bluff” in claims of data theft, aimed at exaggerating the attacks.
Finally, the image of the anonymous hacker plaguing the Darkweb is still very widespread while the reality of data leaks is often linked to human errors, bad configurations or abuse of access, rather than to sophisticated attacks.
Operational reality from a cybersecurity analyst’s perspective
The cybersecurity analyst should deploy an OSINT methodology to collect information and, if possible, attempt to identify the origin of the data leak. Examining various sources, such as cybercriminal forums and Telegram channels, can help trace the malicious actor’s post. This makes it easier to retrieve shared data samples or entire databases, provided they are not offered for sale.
After downloading the database, it will attempt to measure the impact of data exfiltration based on very specific criteria: the nature and freshness of the data, the level of completeness of the data, the actual usability and the possible presence of encryption or additional protections. It is according to these indicators that the analyst can associate a level of criticality (low, moderate, high, critical) with the incident which will help victims determine the real impact of the leak.
The cybersecurity analyst must then work closely with multiple stakeholders to effectively manage the data breach. It begins by quickly informing company managers so that they can take appropriate measures to limit the impact of the incident. Depending on the severity of the leak, external communication may be necessary, particularly with users and customers, to keep them informed of ongoing actions. If personal data is involved, notification of regulators, such as the CNIL in Europe, may also be required. Finally, in the event of a significant data leak or large-scale cyberattack, it is essential to coordinate actions with the competent authorities, such as ANSSI in France, for appropriate management of the situation.
That being said, although it happens that the real impact of a scenario is less significant, the phenomenon should not be minimized either. The multiplication of attacks and their increased media coverage, as well as the overconsumption of data by cybersecurity analysts can lead to fatigue linked to the too large number of alerts received. This fatigue can particularly occur when IT teams or system administrators become insensitive to a large number of alerts generated by threat monitoring systems, leading to ignoring the real impact of certain data leaks. This can ultimately lead to the exhaustion of teams, and lead to a poor assessment of the threat and possible attack scenarios.
