Something has shifted in the way power operates behind the scenes of global business, and most chief executives, perhaps to the quiet despair of their technology and security chiefs, have yet to grasp it.
The theft of sensitive information is no longer a fringe activity. It has become a conspicuous, if alarming, feature of high-stakes commercial life, enabled, whether directly or inadvertently, by a growing market of private intelligence firms, former state-security personnel and sophisticated hackers operating in the legally ambiguous “grey zone”.
What was once the preserve of nation-state espionage has migrated into the commercial sector. Even systems long assumed to be unreachable, such as restricted government databases, sensitive investigative files and secured state records, are proving more vulnerable than anyone cared to admit. For any business that operates across borders, the consequences are no longer theoretical, and the case for treating cyber-security as a board-level discipline rather than an IT afterthought has rarely been stronger.
The courts are beginning to reveal the scale of the problem.
In December 2024, the Israeli surveillance firm NSO Group was found liable by a US federal court for hacking the smartphones of roughly 1,400 WhatsApp users, among them journalists, diplomats and government officials, using its Pegasus spyware. The following May, a Californian jury ordered the company to pay more than $167 million in punitive damages to Meta, WhatsApp’s owner, the first time a commercial spyware maker had been held legally liable in an American court. A judge later cut the punitive figure to $4 million but granted a permanent injunction barring NSO from targeting WhatsApp users, a ruling rights groups described as a landmark moment in the fight against spyware abuse.
The Waymo v Uber affair makes a related point closer to the commercial mainstream. A former Google engineer, Anthony Levandowski, was criminally convicted of stealing trade secrets after downloading thousands of confidential files on self-driving car technology, a dispute that Uber and Waymo ultimately settled for an equity stake worth around $245 million. It is a reminder that proprietary corporate intelligence can be compromised even within internal systems that are meant to be watertight, a lesson UK firms have absorbed the hard way as breaches at the likes of Capita have drawn multimillion-pound regulatory penalties.
A more recent matter, before prosecutors in Milan, pushes the issue further still. Dozens of individuals, reportedly including lawyers at major international firms and a senior in-house legal executive at a large European energy company, have been placed under investigation by the Italian authorities over an alleged private intelligence operation accused of illegally accessing restricted Interior Ministry databases.
All of those named are presumed innocent, and the existence of an inquiry is not a finding of guilt. Separately, prosecutors have examined whether the alleged network created exposure for foreign actors inside Italian government systems.
That last point deserves particular attention. The allegation is not of a conventional data breach. It concerns the alleged deliberate misuse of public infrastructure for private ends, with the secondary, and far more troubling, prospect of national-security consequences. It is the kind of systemic vulnerability that has already prompted British institutions to act, as when Companies House suspended part of its online filing service over a security flaw that risked exposing director data.
The line between legitimate competitive intelligence and criminal conduct has always been contested. What is changing is how often, and how far, that threshold is allegedly being crossed.
For any organisation operating across multiple jurisdictions, that shift demands serious attention, not as a compliance footnote, but as a strategic risk that now reaches all the way to the boardroom.
