Cybercrime: what risks and consequences for personal data?
28 November 2025
The CNIL commissioned a survey on French people's perceptions of the use of their personal data and consent to online advertising. This final article in a series of three publications looks at the financial harm for victims of personal data breaches.
Cybercrime related to personal data (e.g. data breach or theft) is a well-known and widely discussed phenomenon, however, its actual impact for individuals remains difficult to quantify.
Estimates of its total cost for society vary significantly depending on the source. For example, in France, Statista assessed the cost for organizations at €119 billion in 2024, while the consulting firm Asterès estimated it at only €2 billion for 2022. In light of these large discrepancies, CNIL sought to better quantify the financial and non-financial harms borne by individuals (e. g. losses, changes in behaviour) as a result of the fraudulent use of their personal data. The CNIL also studied how the nature of cybercrime harms is likely to induce behavioural biases leading to risky behaviour.
This study echoes a theme previously explored in another CNIL publication that identified underinvestment in cybersecurity as a structural issue among companies. This new study shows that the very nature of cyber risk is susceptible to generate behavioural biases in individuals, hindering the emergence of an ecosystem resilient against cybercrime.
This question was studied by CNIL, through an online survey conducted by Harris Interactive from December 18 to 23 2024 among a representative sample of 2,082 French residents aged 15 and older. Respondents were asked whether they had experienced fraudulent or unauthorized use of their personal data, and what material or immaterial harms had resulted.
The frequency and gravity of cybercrimes relating to personal data
The survey reveals that incidents involving the unauthorized use of personal data are frequent. 41% of respondents reported having already experienced fraudulent use of their data, and among them, 21% reported having suffered financial damage.
The average declared financial loss is €740. Identity theft stands out as the type of breach leading to the highest financial damage (with an average financial loss of 915 euros).
Poorly protected personal data thus leads to tangible harms, clearly quantified by individuals, with impacts perceived as particularly significant, especially for lower-income groups.
Fraudulent use of personal data perceived by individuals in the last 3 years
| Fraudulent use of personal data | Frequency | Share resulting in any harm | Share resulting in moral harm (stress, anxiety) | Share resulting in financial harm | Average financial harm |
|---|---|---|---|---|---|
| Identity theft | 16% | 70% | 28% | 24% | €915 |
| Unsolicited marketing | 24% | 35% | 15% | 29% | €691 |
| Fraud or attempted financial fraud | 5% | 65% | 26% | 75% | €592 |
| Disclosure of damaging information | 7% | 76% | 27% | 18% | €609 |
| Blackmail or harrassment | 4% | 71% | 19% | 13% | €450 |
Among those affected by these incidents, 30% reported them to a public authority (police, CNIL). The most common reaction is changing one’s behavior to reduce perceived risk, as mentioned by 67% of respondents.
These incidents also have a lasting impact on individuals’ trust: they lead to greater distrust and to the abandonment of certain digital services, particularly online shopping. Thus, 57% of individuals who suffered harm over the past three years reported giving up using a digital service out of fear that their personal data might be misused, compared with 35% for the general population.
Beyond direct financial losses, cybercrime fosters a climate of mistrust toward the digital economy, discouraging online transactions and thus amplifying its overall impact on both individuals and companies. These are the indirect costs of cybercrime, a notion already discussed by CNIL.
41% of respondants report having already experienced fraudulent use of their data in the last three years.
More than half the respondants that experienced fraudulent use of their data in the last three years have given up using a digital service afterwards.
Harms: an unequal distribution of financial consequences
The CNIL observes a strong concentration of financial harms among a small number of respondents. Among the 2,082 people surveyed, total reported losses amounted to €131,614, i.e. an average of €63 per respondent. However, this average conceals considerable disparities: one person alone reported nearly €20,000 in financial harm.
Half of those experiencing financial harm reported amounts below €200, while 14% suffered damages exceeding €1,000, highlighting the highly uneven distribution of cybercrime-related harms.
The most serious incidents therefore appear as relatively rare but particularly severe.
The figure below illustrates this phenomenon by showing the distribution of financial harms across the population.
Distribution of financial harms of cybercrime
Guidance for reading the graph: The peak on the left side of the distribution represents the majority of individuals who experience financial harm of only around €100. However, a minority is affected by much higher amounts, which significantly lengthens the tail of the distribution (on the right side).
These figures also highlight the relevance and potential value, not only for companies but also for individuals, of emerging cyber insurance products developed by insurers and brokers, and can contribute to actuarial analyses in this area.
Understanding behavioural biases to avoid falling victim to them
In experimental economics, it is well established that individuals tend to overweight the likelihood of rare events and display risk aversion when faced with potential losses (Kahneman & Tversky, 1979). From this perspective, one might expect individuals to be particularly well prepared for the risk of cybercrime.
However, this bias only occurs when the probabilities of different events are explicitly stated to individuals (e.g. in weather forecasts). For many events, people instead infer probabilities from their past experiences. In such cases, the likelihood of rare events tends to be underestimated, a phenomenon known as the description–experience gap (Hertwig et al., 2004, Hertwig & Erev, 2009).
In cybersecurity, the likelihood of an incident is never really observable, except through surveys designed to estimate it. Individuals therefore primarily learn through experience, which creates a tendency to underestimate the risk of cybercrime. Many respondents thus indicated to the survey that their perception of risk increased after a data breach. Hence, a low initial perception of risk, which biases individuals’ cost–benefit analyses, makes it more difficult to incentivize the adoption of appropriate protective measures.
Through this study and its regular publications on the subject, the CNIL aims to alert individuals to the reality of this threat so that they can adopt appropriate behaviors. This awareness-raising mission complements the CNIL’s other actions related to enforcement towards organizations that do not sufficiently protect personal data.
Did you know?
Among every 1,000 readers of this publication, approximately 13 are likely to experience fraudulent use of their personal data within the next three years, resulting in financial harm exceeding €1,000.
To reduce the likelihood of becoming a victim and the associated negative consequences (financial, psychological…), adopt the essential protective reflexes without delay.
Learn more : Cybersecurity Guidelines
