Is this a new thing or has it always been the case? Because I'm pretty sure I've heard otherwise before. (Unless by "technical barrier" you don't mean the same thing I do.)
Also what do you mean by "very hard without getting caught"? Is it like hacking their database from the outside/open internet? Or is it like "they can, but it'll trip fifty alarms" [but they'd still get the data].
2. Yes, it’s like hacking the database from the outside in most cases in others it trips alarms and starts an investigation. It all data is created equal here...but generally speaking PII data is highly guarded