We hear regularly about consumer backlash from data breaches. There are usually legal repercussions, and often hard dollars (euros, yen, etc.) being spent on things like identity protection or credit monitoring. In addition, in the last couple of years, there are plenty of people that try to limit, or cease, doing business with organizations that lose their data. That isn't always possible, especially when the government is the one getting hacked, but more and more people are taking an active stance against poor internet security by organizations.
It's not anything that I think will happen soon, but I bet it will happen. Airbus had a breach that lost employee data. I wonder when we'll start to see employees initiating lawsuits or other actions against their employers. My suspicion is that this will happen with former employees first, but with the GDPR, current employees in the EU might feel emboldened, and with good reason. Employers have a lot of data about us, and that ought to be well protected.
There have been hacks to lower a stock price, or affect a company. Why not hacks to attack employees? I wouldn't have thought of this until I talked with a forensic analyst about other possible second order attacks. Could there be individuals that might seek to attack IT staff through personal information and blackmail or otherwise extort them to copy data? What about partners and spouses of employees at big companies? I don't worry about Redgate as a target, but what if you work for Google/Apple/Microsoft/Facebook? We already had a potential sleeper employee at Twitter.
Unfortunately, I see no depths to which criminals might sink. Across the last decade there have been stories of actions that I never would have contemplated. While I hope my fears are unfounded, I worry that sensitive data about employees might be on the radar for some nefarious individuals.