Privacy is not a side issue to cyber security but a core part of it, as privacy failures can easily become security breaches, investigative journalist and author Violet Blue told delegates during the opening keynote at Black Hat Asia 2026 in Singapore.
While terms like “privacy policy” and “anonymised data” can sound reassuring, they do not always mean privacy is truly protected, said Blue. She argued that the technology industry has too often treated privacy as optional while reserving urgency for security. This split, she suggested, is no longer tenable in a world where personal data is increasingly the entry point for major cyber incidents.
Security professionals often believe “privacy is dead”, she said, leading them to “shrug and engage in practices they know they shouldn’t”.
Blue argued that the same business incentives eroding privacy also weaken security, warning that relentless data collection fuels surveillance-based business models and creates new attack paths.
“Surveillance capitalism doesn’t just erode privacy, it creates an attack surface,” she said. “Every data broker is a target. Every adtech SDK [software development kit] is a supply chain risk. Every ‘we need this telemetry’ decision is a pre-positioned asset for a future breach.”
While a common counterargument is that security carries a financial cost and privacy regulation is an added compliance burden, Blue said the incentives working against privacy are equally detrimental to security.
She highlighted several high-profile incidents where exposed personal information was not just part of the fallout, but the weaponised entry point for the attack itself.
In the 2023 MGM Resorts incident, for example, attackers reportedly used scraped, publicly available personal data to impersonate an employee. This allowed them to persuade the IT helpdesk to reset users’ multi-factor authentication (MFA), leading to major disruption and financial losses.
Similarly, in the 23andMe breach, compromised accounts exposed the genetic and personal data of millions of profiles far beyond the initial victims.
She also pointed to the Twilio smishing attacks in 2022 and the fallout from Facebook’s phone number collection as examples of how data gathered in the name of trust or security can later be repurposed, leaked or weaponised. Users had provided phone numbers for protective purposes, such as two-factor authentication, only for those same data points to become part of broader security risks.
Discussing the difference between agency and control, Blue said: “Agency means owning your data: having the right to say no, the right to know what you’re agreeing to, and being able to withdraw your consent. It also means being able to take your data elsewhere.
“Most privacy controls are theatre. You’re just choosing which colour the cage is painted,” she added.
Data sovereignty, she noted, is one of the most serious attempts to address the incentive problem behind privacy harms. Rather than treating privacy as an individual consumer choice, it is viewed as an issue of “collective agency”, with laws and frameworks across the Asia-Pacific region pushing companies to safeguard personal data more responsibly.
She cited Singapore’s Personal Data Protection Act, Japan’s Act on the Protection of Personal Information, and South Korea’s Personal Information Protection Act (PIPA) – alongside similar laws in Indonesia, Vietnam, Australia and the Philippines – as examples of data sovereignty where privacy and security are treated as linked responsibilities.
Blue also highlighted indigenous data sovereignty as a framework for better data governance. Under this model, a community has the right to decide what data about them is collected, how it is stored and secured, who gets access to it, and how misuse can be limited or corrected.
This approach, she suggested, offers an alternative to extractive data practices, where institutions or companies take data from communities for their own purposes without granting them meaningful access or control.
As an example, she pointed to Te Mana Raraunga, the Māori Data Sovereignty Network in New Zealand, where data collected about Indigenous people is governed under the control of the tribal nations it comes from.
In Australia, she highlighted data storage services for Aboriginal and Torres Strait Islander data – including Mukurtu, Keeping Culture, and AtoM (supported by AxiDA). These digital platforms manage and store indigenous cultural data in ways that reflect core data sovereignty principles.
Strong privacy and security stem from long-term, responsible data governance, Blue concluded. It is not enough to defend systems technically; people and communities must be given real power to govern data responsibly as a group, ensuring it is not extracted, misused or exposed.
“It’s the move from ‘I protect my data’ to ‘we govern our data’; from individual defence to collective stewardship,” she said.
Read more on IT risk management
