There's a number in this year's DLA Piper GDPR survey that stopped me.
Between January 2025 and January 2026, the average number of breach notifications per day increased by 22% — breaking 400 per day for the first time since GDPR came into force. (DLA Piper GDPR Fines and Data Breach Survey, January 2026)
That's not a blip. And DLA Piper are direct about what's driving it: heightened geopolitical tensions fuelling more malicious cyber attacks.
But when I look at the actual incidents behind these numbers, what strikes me isn't the sophistication. It's the simplicity of the entry point.
Identity keeps being the door.
In France, attackers accessed Interior Ministry databases after compromising police email accounts on systems lacking two-factor authentication — gaining access to judicial records on millions of people. (Le Monde, 2025) In Belgium, Orange's systems were infiltrated, exposing data on around 850,000 telecom subscribers. Different organisations, different industries, same pattern: someone gained access by appearing to be someone they weren't.
The ICO's March 2025 fine against Advanced Computer Software Group makes the regulatory stakes explicit — EUR 3.49 million after hackers accessed NHS-connected systems through a single customer account without multi-factor authentication. (ICO Enforcement Action, March 2025) The ICO described it as a failure to implement appropriate technical and organisational measures. The actual failure was one missing identity control.
What I find most underappreciated in this conversation is that the identity risk in professional services isn't primarily inside your network. It's at the boundary — in how external clients and counterparties access your systems, your documents, your workflows.
When a client receives a link to a shared document today, how do you know who is actually clicking it? How was their identity verified — not at onboarding six months ago, but at this moment of access? If their email account were compromised, at what point in your current workflow would your systems actually stop an attacker?
For most firms, the honest answer is: not at the document access point. The link works. The portal opens. Trust was established once and assumed ever since.
I don't raise this to alarm. I raise it because I think it's the right question to be asking — and most organisations aren't asking it often enough.
The regulatory environment is clearly moving in this direction. The aggregate total of GDPR fines since 2018 now stands at EUR 7.1 billion. (DLA Piper GDPR Fines and Data Breach Survey, January 2026) Enforcement isn't softening. Identity controls are no longer just a security question — they're a compliance question, and increasingly a commercial trust question.
What's your current approach to verifying external identity beyond initial onboarding? I'd genuinely like to know where firms are drawing the line.