The results of this survey show that incidents related to the unauthorized use of personal data are frequent. 41% of respondents have already undergone fraudulent use of their personal data. Of these, 21% suffered financial harm.
Frequency and severity of cybercrimes related to personal data
All cases combined, the declared average financial damage is 740 euros. The attack leading to the highest average financial damage is identity fraud (915 euros).
Poorly protected personal data therefore leads to real damage, well assessed by individuals, and having a high cost for them, especially for the most modest.
The findings, part of a trilogy of CNIL publications on data perceptions and online consent, underscore a stark disconnect between the buzz around cyber threats and their tangible fallout. While corporate costs from cybercrime in France ballooned to €119 billion in 2024 according to Statista, the human element—individual losses and mindset shifts—has remained murky. “These incidents create real damages, well-assessed by individuals, with a high cost especially for the most vulnerable,” the CNIL notes, highlighting how underinvestment in cybersecurity mirrors biases that leave both companies and people exposed.
A Pervasive Threat: 41% of French Hit by Data Fraud
The Harris Interactive survey, conducted December 18-23, 2024, on a representative sample of 2,082 French adults aged 15 and over, lays bare the ubiquity of these violations. Respondents recounted experiences ranging from identity theft to spam bombardments, with 41% reporting at least one fraudulent use of their personal data in the past three years. Identity fraud topped the list at 16% prevalence, followed by unsolicited solicitations at 24%.
Financial harm struck 21% of all victims, but the pain was acute: 75% of financial fraud attempts led to losses, averaging €592. Overall, declared damages totaled €131,614 across the sample—€63 per person on average—but with wild disparities. Half of those hit financially lost under €200, yet 14% faced over €1,000, and one outlier reported €20,000 in damages. This “long-tail” distribution, as visualized in the CNIL’s accompanying graph, shows a cluster of modest hits overshadowed by rare but ruinous events.
| Type of Fraud | Prevalence | Share Leading to Damage | Share Leading to Moral Damage (Stress, Anxiety) | Share Leading to Financial Damage | Average Financial Damage |
|---|---|---|---|---|---|
| Identity Fraud | 16% | 70% | 28% | 24% | €915 |
| Unsolicited Solicitation | 24% | 35% | 15% | 29% | €691 |
| Fraud or Attempted Financial Fraud | 5% | 65% | 26% | 75% | €592 |
| Disclosure of “Compromising” Information | 7% | 76% | 27% | 18% | €609 |
| Blackmail or Harassment | 4% | 71% | 19% | 13% | €450 |
Only 30% of victims reported incidents to authorities like police or the CNIL, opting instead for self-protection: 67% altered behaviors to mitigate risks, such as tightening privacy settings or avoiding certain sites. The psychological toll was equally grim, with 15-28% across categories reporting stress or anxiety.
Trust Erosion: Over Half Ditch Digital Services Post-Breach
The survey’s most alarming revelation? A trust crisis that stifles the digital economy. Among those damaged in the last three years, 57% abandoned at least one online service—think e-commerce or banking apps—fearing further misuse, compared to 35% in the general populace. This “climate of mistrust,” as the CNIL terms it, amplifies indirect costs for businesses, echoing prior analyses of GDPR’s economic upsides through better security.
Distribution of Cybercrime Damages: A long-tail curve where most losses cluster below €200, but a minority skews the average with damages exceeding €1,000—highlighting rare, severe hits.
Behavioral Traps: Why Underestimation Fuels the Fire
Delving into psychology, the report invokes the “description-experience gap” from behavioral economics: people undervalue rare risks like cyber breaches when gauging from personal history, not stats. Pre-incident, risk perception is low, skewing cost-benefit analyses and delaying protective steps. Post-breach, awareness spikes, but so does paranoia.
“Out of 1,000 readers, about 13 will face data fraud with over €1,000 in losses in the next three years,” the CNIL warns, urging “essential reflexes” like strong passwords and vigilance. It spotlights cyberinsurance as a buffer, while ramping up enforcement against lax data handlers.
As France grapples with escalating threats—amid EU-wide GDPR tweaks via the Omnibus package—the CNIL’s call to action resonates: Awareness alone won’t suffice; resilient habits and robust policies must bridge the gap between threat and defense. For full details, consult the Harris Interactive report.
