Experts are warning that weak passwords and poor security standards for IoT devices are leaving businesses and consumers increasingly exposed, ahead of Data Privacy Day tomorrow (28th January).
The warning comes amid a massive data leak this week, which revealed 149 million compromised online credentials, including email addresses, usernames, passwords, and direct login links—demonstrating how easily attackers can exploit weak authentication and unsecured connected devices.
Cybersecurity researcher Jeremiah Fowler, who uncovered the breach, said the exposed database included thousands of files linking credentials to login pages, making it a goldmine for account takeover, phishing campaigns, and large-scale credential-stuffing attacks. Gmail users were among those at highest risk.
Steven Furnell, IEEE senior member and Professor of Cybersecurity at the University of Nottingham, warned that password weaknesses remain a persistent problem. “Despite talk of a passwordless future, most services still rely heavily on passwords,” he said. “Mandatory complexity rules often increase user burden without improving security, encouraging reuse, predictable variations, and insecure storage. Organisations must provide clear guidance, enforceable checks, and ongoing training to prevent credentials from being exploited.”
The leak also highlights broader failings in security strategy, according to Kevin Curran, IEEE senior member and Professor of Cybersecurity at Ulster University. “The traditional assumption that users and devices inside a network can be trusted is no longer fit for purpose,” he said. “As organisations rely more on Cloud services, remote access, and IoT devices, the attack surface has expanded far beyond a defined perimeter. Compromised credentials act as open doors. Zero Trust architectures must be central to modern security, with strong governance and senior-level oversight.”
Przemysław Grandos, Head of IT & Compliance at Catalogic Software, added that policies alone are not enough. “If you can’t evidence it, you don’t really have it,” he said. “Privacy programmes fail when access controls exist only as tribal knowledge. Treating backup and recovery as privacy controls—using immutable copies, separation of duties, strict administrative access, and routine restore testing—is essential to contain damage and restore trust.”
The scale of the issue is compounded by gaps in compliance and awareness. A recent Zoho study found that only 36 % of UK businesses say they fully comply with all data privacy regulations and industry guidelines, while 46 % agree data privacy is critical to business success. Just 43 % conduct regular training, and 45 % report their privacy policies are clear and transparent, down from 50 % in 2025.
Sachin Agrawal, Managing Director of Zoho UK, said these findings highlight the importance of embedding privacy into daily operations rather than treating it as a box-ticking exercise. “Data privacy is no longer just a compliance requirement—it is essential for customer trust,” he said. “Organisations that prioritise transparency, restrict access to the minimum necessary data, and educate employees on privacy policies will reduce risk and strengthen long-term relationships. Shadow AI usage and poorly governed emerging technologies can amplify exposure if privacy is not treated as a core value.”
Gal Naor, CEO of StorONE, noted that privacy must also be designed into infrastructure from the outset. “Data now spans on-prem systems, hybrid and cloud environments, backups, archives, and AI pipelines,” he said. “Privacy-by-design ensures organisations know where data resides, how it’s encrypted, and who can access it. Intelligent data placement and reduced duplication limit exposure and make privacy enforceable rather than aspirational.”
Yoram Novick, CEO of Zadara, added that AI adoption makes data sovereignty increasingly important. “Sovereign cloud and AI cloud architectures keep sensitive data under local control and regulatory oversight,” he said. “Combined with identity-aware systems, multi-factor authentication, and continuous verification, these approaches are essential to protect data in today’s hyper-connected, AI-driven environment.”
