Tag: fine

Police Scotland Fined for Mishandling Alleged Victim’s Mobile Phone Data 

The Information Commissioner’s Office (ICO) has fined the Police Scotland £66,000 and issued a Reprimand for serious failures in the handling of sensitive personal data. 

Detective Constable Lianne Gilbert, who has now waived her right to anonymity, made domestic abuse allegations, including serious sexual assault, against another officer in 2020. However when a misconduct inquiry took place two years later, it emerged data extracted from Ms Gilbert’s phone was given to the accused officer, his lawyer and his Scottish Police Federation (SPF) representative. There were 40,000 pages of extracted data including 80,000 images, medical records and contact details of Ms Gilbert’s friends and family. Some of the images were of an intimate nature.  

Ms Gilbert has given her account to BBC Scotland News. She said: 

“It’s been absolutely horrific and very, very traumatic.” 

“At the time it happened I had a five-month-old baby. It’s really impacted my motherhood journey. At times I still feel quite numb.” 

It is important to note that the officer in question has not been charged with any offences against Ms Gilbert and the case remains live. 

UK GDPR Breaches 

The ICO investigation concluded that:  

a) Police Scotland failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data by the PSD for the purposes of compiling misconduct packs for disclosure as part of its investigations (Article 32(1) UK GDPR); 

b) These deficiencies put the personal data processed by the PSD at risk of unauthorised disclosure, in breach of the requirement to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (Article 5(1)(f) UK GDPR); 

c) Police Scotland failed, at the time of the determination of the means of processing and at the time of the processing itself, to implement appropriate technical and organisational measures designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the UK GDPR and protect the rights of data subjects (Article 25(1)-(2) UK GDPR); 

d) Police Scotland failed to ensure that the personal data processed by the PSD when compiling misconduct packs for disclosure was adequate, relevant and limited to what was necessary in relation to the purposes for which it was processing that data (Article 5(1)(c) UK GDPR); and 

e) Police Scotland failed to inform the Commissioner of the personal data breach within 72 hours of becoming aware of the same (Article 33(1) UK GDPR) 

In assessing the fine amount, the ICO considered the seriousness of the incident, the sensitivity of the data involved and the impact on the affected person. It initially concluded that a £132,000 fine would be effective, proportionate and dissuasive. However applying its controversial public sector approach to enforcement, it decided to reduce the amount by a factor of 50%. 

The Monetary Notice states that Police Scotland paid a sum of money (amount redacted) as compensation to Ms Gilbert. This may have been in anticipation of a civil claim by Ms Gilbert. Article 82 UK GDPR gives a data subject a right to compensation for material or non-material damage for any breach of the UK GDPR. Section 168 of the DPA 2018 confirms that “non-material damage” includes distress. There may be more claims to come; no doubt amongst the data extracted (and shared) from Ms Gilbert’s phone there will have been personal data related to third parties. 

Part 3 DPA Reprimand 

The related reprimand was issued under Part 3 of the Data Protection Act 2018 (law enforcement processing). Police Scotland is a competent authority under Part 3 and was, according to the ICO, processing Ms Gilbert’s data for law enforcement purpose when it extracted the data. The ICO found that Police Scotland had infringed sections 35 and 37 of the DPA by failing to ensure that: 

a) The bulk download of personal data on the mobile phone of the Data Subject was lawful and fair (section 35 DPA); and 

b) The personal data processed from the mobile phone download was adequate, relevant and not excessive in relation to the purposes for which it was processed (section 37 DPA). 

The ICO initially considered that a fine would be appropriate for these DPA breaches, and considered notifying Police Scotland of its intention to impose a fine of £78,750. However, once again, due to the revised approach to public sector enforcement it decided a reprimand was more appropriate. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.   

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop and our Law Enforcement Data Processing workshop.

Children’s Privacy Failures Result in a £14.47m for Reddit

Safeguarding children’s privacy is a key enforcement priority for the Information Commissioner’s Office (ICO). It is also one of their duties under the Online Safety Act, alongside OFCOM.  

In March 2025, the ICO announced three investigations looking into how TikTok, Reddit and Imgur (an image sharing and hosting platform) protect the privacy of their child users in the UK. The investigations into Imgur and Reddit specifically focussed on how the platforms use UK children’s personal data and their use of age assurance measures. 

Article 8(1) of the UK GDPR states the general rule that when a Data Controller is offering an “information society services”  (e.g. social media apps and gaming sites) directly to a child, and it is relying on consent as its lawful basis for processing, only a child aged 13 or over is able to provide their own consent. For a child under 13, the Data Controller must seek consent from whoever holds parental responsibility. Article 8(2) further states: 

“The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” 

Earlier this month MediaLab.AI, Inc. (MediaLab), owner of Imgur, was fined £247,590 for processing children’s personal data in ways that breached the UK GDPR. Imgur’s terms of use stated that children under 13 could only use the platform with parental supervision. However, the ICO investigation found that, MediaLab did not implement any form of age assurance measures to determine the age of Imgur users and did not have measures in place to obtain parental consent where children under 13 used the platform. 

Yesterday the ICO announced that Reddit has now been fined £14.47m under the UK GDPR. The circumstance of the fine are very similar to MediaLabs. In summary: 

  • Reddit’s terms of service prohibited children under 13 years of age using its platform, but despite that it did not have measures in place to check the age of users accessing its platform until July 2025. 
  • The ICO’s estimates indicated that there were a large number of children under 13 on the platform and Reddit did not have a lawful basis for processing their personal data. 
  • Reddit had not completed a Data Protection Impact Assessment focusing on the risks of using children’s personal data before January 2025, even though children between 13 and 18 were allowed to use the platform. 
  • By using under 13-year-olds’ personal data without a lawful basis and without having properly considered the risks to children more generally, children were at risk of exposure to inappropriate and harmful content on Reddit’s platform. 

We are waiting for the ICO to publish the Monetary Penalty Notices in relation to Redditt and MediaLab. In the case of the latter, the ICO said at the time that it is still considering the redaction of personal and commercially confidential or sensitive information.  

The ICO’s investigation into TikTok is still ongoing. It is considering how the platform uses personal data of 13–17-year-olds in the UK to make recommendations to them and deliver suggested content to their feeds. This is in the light of growing concerns about social media and video sharing platforms using data generated by children’s online activity in their recommender systems, which could lead to them being served inappropriate or harmful content.  

The ICO is also investigating 17 other platforms, including Discord, Pinterest, and X, and has been in discussions with Meta and Snapchat over how they use children’s location data in their user map features. Watch this space! 

The Data (Use and Access) Act 2025, most of which came in to force earlier this month, explicitly requires those who provide an online service that is likely to be used by children, to take their needs into account when deciding how to use their personal data. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.  

This and other developments relating to children’s data will be covered forthcoming workshop, Working with Children’s Data.

Children’s Image Hosting Platform Fined For Privacy Failures

Last week the Information Commissioner’s Office (ICO) issued its first UK GDPR fine of 2026. MediaLab.AI, Inc. (MediaLab), owner of image sharing and hosting platform Imgur, received a Monetary Penalty Notice of £247,590 for processing children’s personal data in ways that breached the UK GDPR.     

Safeguarding children’s privacy is a key enforcement priority for the ICO. 
In April 2023, it issued a £12.7 million fine to TikTok for a number of breached of the UK GDPR, including failing to use children’s personal data lawfully. The following year, the ICO launched its Children’s code strategy to look closely at social media platforms and video sharing platforms. 
In December it published a progress report on the strategy, reporting good progress and including a ‘proactive supervision programme’ to drive improvements in the industry. Perhaps this latest fine is part of this ‘proactive supervision programme’.

Article 8(1) of the UK GDPR states the general rule that when a Data Controller is offering an “information society services” (e.g. social media apps and gaming sites) directly to a child, and it is relying on consent as its lawful basis for processing, only a child aged 13 or over is able to provide their own consent. For a child under 13, the Data Controller must seek consent from whoever holds parental responsibility. Article 8(2) further states: 

“The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” 

Imgur’s terms of use did state that children under 13 could only use the platform with parental supervision. However, the ICO investigation found that, MediaLab did not implement any form of age assurance measures to determine the age of Imgur users and did not have measures in place to obtain parental consent where children under 13 used the platform. 

In setting the £247,590 penalty amount, the ICO took into consideration the number of children affected by this breach, the degree of potential harm caused, the duration of the contraventions, and the company’s global turnover. It also considered MediaLab’s acceptance of the provisional findings set out in the Notice of Intent issued in September 2025 and its commitment to address the infringements if access to the Imgur platform in the UK is restored in the future. If MediaLab resumes processing the personal data of children in the UK (currently the Imgur site is not available in the UK) without implementing the measures it has committed to, the ICO may take further regulatory action. 

We are waiting for the Monetary Penalty Notice to be published. 
The ICO says it is still considering the redaction of personal and commercially confidential or sensitive information.  

This fine shows that the ICO’s spotlight is firmly on those processing children’s data. The Data (Use and Access) Act 2025, the key provisions of which came into force on last Thursday, explicitly requires those who provide an online service that is likely to be used by children, to take their needs into account when deciding how to use their personal data. 

Listen to the Guardians of Data Podcast for the latest news and views on developments in GDPR, AI, cyber security and FOI.

This and other developments relating to children’s data will be covered in tomorrow’s online workshop, Working with Children’s Data. The newly updated UK GDPR Handbook (2nd edition) includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw.

Password Manager Provider Fined £1.2m for GDPR Data Breach 

On 20th November 2025, the Information Commissioner’s Office (ICO) fined password manager provider, LastPass UK Ltd, £1.2 million following a 2022 data breach that compromised the personal data of up to 1.6 million UK users. 

Two security incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal data which included customer names, emails, phone numbers, and stored website URLs.  

For a good analysis of what went wrong at LastPass and how to avoid such incidents, please read this blog. This is the seventh GDPR fine issued by the ICO in 2025; all have been in relation to cyber security incidents.  In October professional and outsourcing services company Capita received a £14 million fine following a 
cyber-attack  which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports. In March an NHS IT supplier was fined £3million, in April a £60,000 fine was issued to a law firm and in June 23andMe, a US genetic testing company, was fined £2.31 million.  

The ICO has urged organisations to ensure internal security policies explicitly consider and address data breach risks. Where risks are identified access should be restricted to specific user groups. The ICO website is a rich source of information detailing ways to improve practices including Working from home – security checklist for employers, Data security guidance and Device security guidance

Cyber Security Training 

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security. See also our Managing Personal Data Breaches Workshop. 

Revised GDPR Handbook   

The data protection landscape continues to evolve. With the passing of the Data (Use and Access) Act 2025, data protection practitioners need to ensure their materials reflect the latest changes to the UK GDPR, Data Protection Act 2018, and PECR.   

The newly updated UK GDPR Handbook (2nd edition) brings these developments together in one practical reference. It includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context. We have included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact. Delegates on our future GDPR certificate courses will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.    

DUA Act Workshop in Birmingham 

If you are looking to implement the changes made by the DUA Act to the UK data protection regime, consider our very popular half day workshop which is running online and in Birmingham on 5th February 2026. 

Capita Fined £14m for GDPR Data Breach 

The Information Commissioner’s Office (ICO) has issued a £14m fine under the UK GDPR to professional and outsourcing services company Capita. This follows a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports. For some people, this included details of criminal records and financial data. 

The ICO said Capita “failed to ensure the security of processing of personal data which left it at significant risk”. Capita plc has been fined £8m and Capita Pension Solutions Limited has been fined £6m, giving a combined total of £14m. The original notice of intent totalled £45m. The ICO and Capita have now agreed to a “voluntary settlement” whereby Capita has admitted liability and agreed to pay the fine without appealing.  

Background 

The cyber- attack began when a malicious file was unintentionally downloaded onto an employee device. Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems. Nearly one terabyte of data was exfiltrated. On 31st March 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network.  

The ICO received at least 93 complaints in relation to this attack. In mitigation, Capita offered 12 months of credit monitoring to affected customers with Experian, as well as setting up a dedicated call centre for those people. It provided weekly updates to us on uptake, with over 260,000 people activating the credit monitoring service. 

ICO Findings 

The ICO investigation found that Capita failed to implement appropriate technical and organisational measures to safeguard the data they held. This included: 

  • Failure to prevent privilege escalation and unauthorised lateral movement: 
  • Capita did not implement a tiering model for administrative accounts. This allowed the attacker to escalate privileges, move laterally across multiple domains and compromise critical systems. 
  • These failings were flagged as a vulnerability on at least three separate occasions but were not remedied. 
  • Failure to respond appropriately to security alerts: 
  • A high priority security alert was raised within ten minutes of the breach, but Capita took 58 hours to respond appropriately, against a target response time of one hour. 
  • Capita’s Security Operations Centre was understaffed, and in at least six months before the incident fell well below the target response times for responding to security alerts. 
  • Inadequate penetration testing and risk assessment: 
  • Systems processing millions of records, including some sensitive data, were only subject to a penetration test upon being commissioned and were not subject to any subsequent penetration test. 
  • Findings from penetration tests were siloed within business units. Risks identified that affected the wider Capita network were not universally addressed. 

The ICO has highlighted key areas where organisations should be taking proactive steps to reduce security risks, such as: 

  • Regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner; 
  • Sharing the findings from penetration testing across the whole organisation so risks can be universally addressed; 
  • Prioritising investment in key security controls to ensure that they are operating effectively; and 
  • Checking agreements and responsibilities between data controllers and data processors. 

Capita Pension Solutions Limited was fined as a data processor. It processes personal data on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach. This is only the second time a data processor has been fined by the ICO. In March 2025, Advanced Computer Software Group Ltd, a key IT and software provider for the NHS and other healthcare organisations, was fined £3,076,320. Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The ICO investigation found that personal data belonging to 79,404 people was taken. This included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care. 

This is the fifth GDPR fine issued by the ICO in 2025; four of these have been in relation to cyber security incidents.  In March an NHS IT supplier was fined £3million, in April a £60,000 fine was issued to a law firm and in June 23andMe, a US genetic testing company, was fined £2.31 million

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.

Scope of the GDPR: ICO Wins Clearview Appeal  

The Information Commissioner has won his appeal (to the Upper Tribunal) against the First-tier Tribunal (FTT) decision involving Clearview AI Inc.  

Clearview is a US based company which describes itself as the “World’s Largest Facial Network”. Its online database contains 20 billion images of people’s faces and data scraped from the internet and social media platforms all over the world. It allows customers to upload an image of a person to its app; the person is then identified by the app checking against all the images in the Clearview database. The appeal raised the issue of the extent to which processing of the personal data of UK data subjects by a private company based outside the UK is excluded from the scope of the GDPR, including where such processing is carried out in the context of its foreign clients’ national security or criminal law enforcement activities. 

Background 

In May 2022 the ICO issued a Monetary Penalty Notice of £7,552,800 to Clearview for breaches of the UK GDPR including failing to use the information of people in the UK in a way that is fair and transparent. Although Clearview is a US company, the ICO ruled that the UK GDPR applied because of Article 3(2)(b) (territorial scope). It concluded that Clearview’s processing activities “are related to…the monitoring of [UK resident’s] behaviour as far as their behaviour takes place within the United Kingdom.” The ICO also issued an Enforcement Notice ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.  

In October 2023, the FTT overturned the ICO’s enforcement and penalty notice against Clearview. It concluded that although Clearview did carry out data processing related to monitoring the behaviour of people in the UK (Article 3(2)(b) of the UK GDPR), the ICO did not have jurisdiction to take enforcement action or issue a fine. Both the GDPR and UK GDPR provide that acts of foreign governments fall outside their scope; it is not for one government to seek to bind or control the activities of another sovereign state. However the Tribunal noted that the ICO could have taken action under the Law Enforcement Directive (Part 3 of the DPA 2018 in the UK), which specifically regulates the processing of personal data in relation to law enforcement. 

The Upper Tribunal Judgement  

The Upper Tribunal allowed the appeal, set aside the decision of the FTT and remitted the matter to the FTT to decide the substantive appeal on the basis that the Information Commissioner had jurisdiction to issue the notices. It also decided that the FTT was right to find that Clearview’s processing fell within the territorial scope of the GDPRs, albeit that it differed in its reasoning. 

In its judgment, the Upper Tribunal ruled  that: 

(1) The words “in the course of an activity which falls outside the scope of Union law” in Article 2(2)(a) of the GDPR (which provides for an exclusion from the material scope of the GDPR) refer only to those activities in respect of which Member States have reserved control to themselves and not conferred powers on the Union to act, and not to all matters without the competence of the Union (as the ICO argued) or to the activities of third parties whose processing “intersects” with their clients’ processing in the course of “quintessentially state functions” which would offend against comity principles (as Clearview argued); 

(2) The words “behavioural monitoring” in Article 3(2)(b) are to be interpreted broadly, as a response to the challenges posed by ‘Big Data’ in the digital age, and they can encompass passive collection, sorting, classification and storing of data by automated means with a view to potential subsequent use, including use by another controller, of personal data processing techniques which consist of profiling a natural person. “Behavioural monitoring” does not require an element of active “watchfulness” in the sense of human involvement;  

(3) The words “related to” in Article 3(2)(b) of the GDPR, as applied to Article 3(2)(b), have an expansive meaning, and apply not only to controllers who themselves conduct behavioural monitoring, but also to controllers whose data processing is related to behavioural monitoring carried out by another controller. 

Data protection practitioners should read the judgement of the Upper Tribunal as it clarifies the material and territorial scope provisions of the UK GDPR. This and other GDPR developments will be discussed in our forthcoming GDPR Updateworkshop.  

Charity Receives £18,000 GDPR Fine

On Monday, a Scottish Charity (Birthlink) received a GDPR Monetary Penalty Notice of £18,000 after it destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable. 

Birthlink is a charity specialising in post-adoption support and advice, for people who have been affected by adoption with a Scottish connection.
Since 1984 it has owned and maintained the Adoption Contact Register for Scotland. The Register allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details with the aim of being linked to and potentially reunited with family members. 

Key findings from the Information Commissioner’s Office (ICO) investigation include: 

  • Handwritten letters and photographs from birth parents amongst items destroyed 
  • Some people’s access to part of their family histories and identities may have been permanently erased due to systematic data protection failures 
  • Poor records management means true extent of actual loss will never fully be known 
  • The charity had limited knowledge of data protection obligations and lacked cost effective and easy-to-implement policies and procedures, which would likely have prevented the destruction. 

Background 

In January 2021, Birthlink reviewed whether they could destroy ‘Linked Records’ as space was running out in the charity’s filing cabinets. ‘Linked Records’ are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.  

Following a February 2021 Board meeting, it was agreed no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor record keeping, it is estimated some records were destroyed on 15 April 2021 with a further 40 bags destroyed on 27 May 2021.  

In August 2023, following an inspection by the Care Inspectorate, the Birthlink Board became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction. It reported the incident to the ICO. 

ICO Findings 

The ICO investigation found the following infringements of the UK GDPR: 

  1. Birthlink’s destruction of manual records containing personal data of approximately 4,800 of its service users without authorisation or lawful basis (“Relevant Processing”) occurred as a result of its failure to implement appropriate organisational measures ensuring the security of the personal data contained in the records. In this regard, the ICO found that Birthlink contravened Articles 5(1)(f) and 32(1)-(2) of the UK GDPR (security). 
  1. A significant contributing factor leading to the Relevant Processing, was Birthlink’s failure to demonstrate compliance with the data protection principles in accordance with Article 5(2) of the UK GDPR. Birthlink has accepted that there was limited understanding of the UK GDPR at the time of the Relevant Processing until around March 2023 when it introduced data protection training for its staff. 
  1. Despite acknowledging the high risk to affected service users arising from the Relevant Processing, Birthlink did not notify the ICO of the personal data breach until 8 September 2023. A delay of two years and five months represents a marked departure from the obligation to notify the ICO within 72 hours of becoming aware of a personal data breach in accordance with Article 33(1) UK GDPR. 

Why a fine now? 

This fine comes two weeks after the catastrophic data breach involving the Ministry of Defence (MoD) was reported, following the High Court lifting a superinjunction. In February 2022, an MoD official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP). The data breach also contained personal details of more than 100 British officials including those whose identities are most closely guarded; special forces and spies.  

Despite the scale and sensitivity of the MoD data breach, the ICO decided not to take any regulatory action; not even a reprimand! In its press release, the ICO praised the MoD’s internal investigation and mitigation efforts, stating that “no further regulatory action is required at this time”.  

The ICO has been heavily criticised for their inaction. The Commons Defence Committee said it would launch its own inquiry, and Dame Chi Onwurah, chair of the Commons Committee for Science Innovation and Technology, said that it is writing to the Information Commissioner pushing for an investigation. Following this, the Information Commissioner issued a further statement explaining the ICO approach.  

Of course no one is suggesting that the ICO fine for Birthlink is an attempt by the ICO to move on from the MoD non-enforcement but readers may at least be wondering why a relatively small Scottish charity is fined whilst a large government department (which has been fined previously in similar circumstances) has faced no action at all.  

This case shows the importance of good records management in ensuring GDPR compliance. Our forthcoming workshop will help you implement records management best practice and understand how it can help manage the personal data lifecycle. 

£2.31 Million GDPR Fine for Genetic Testing Company. But will the fine be paid? 

The Information Commissioner’s Office (ICO) has fined a US genetic testing company £2.31 million under the UK GDPR following a 2023 cyber-attack. 

23andMe provides genetic testing for, amongst other things, health purposes and ancestry tracing. In 2023 a hacker carried out a credential stuffing attack on the company’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in unauthorised access to 155,592 UK residents’ personal data; potentially revealing sensitive data such as profile images, race, ethnicity, family trees and health reports. The type and amount of personal data accessed varied depending on the information included in a customer’s account. 

The investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company failed to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information. 

The ICO also found that 23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023.
In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.  

What happens now? 

The ICO has made much of this penalty and the joint investigation conducted with the Office of the Privacy Commissioner of Canada. John Edwards, the Information Commissioner, said: 

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.” 

The fine comes after an ICO statement in March which said that a Notice of Intent had been issued of £4.59 million. An almost 50% reduction but, whatever the amount of the fine, the ICO is unlike to see a penny.  

In April 23andMe filed for bankruptcy in the US courts. On Friday it said that it had agreed to the sale of its assets to a non-profit biotech organisation led by its
co-founder and former chief executive. It said the purchase of the company would come with binding commitments to uphold existing policies and consumer protections, such as letting customers delete their accounts, genetic data and opt out of research.
A bankruptcy court is scheduled to hear the case for its approval on Wednesday. 

This case is also a good example of  the extra territorial reach of the UK GDPR.  Article 3(2)(a) UK GDPR as although 23andMe is not established within the UK, it processes the personal data of the affected UK Data Subjects for the purposes of offering goods or services to those individuals. 

This is the third fine issued by the ICO in 2025. In April a £60,000 fine was issued to a law firm and in March an NHS IT supplier was fined £3million. Both also followed cyber-attacks.   

 We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop. 

RAC Employees Sentenced for Selling Personal Data 

On 8th October 2024, two former RAC employees were sentenced for unlawfully copying and selling over 29,500 lines of personal information.  

The two former employees worked as customer service specialists at the RAC’s call centre in Stretford. Their unlawful conduct was discovered by the RAC after it installed new security monitoring software. The software showed employee one of them had unlawfully accessed and copied personal information relating to people involved in road traffic accidents. A subsequent search of  employee one’s mobile phone showed the information was shared in a WhatsApp chat with employee two. Messages indicated that a third party was paying for the information. 

At a hearing at Minshull Street Crown Court on 8 October 2024, both former employees were sentenced to 6 month prison sentences, suspended for 18 months, and each were ordered to complete 150 hours of unpaid work. Both defendants had previously pleaded guilty to offences under the Computer Misuse Act 1990 and Data Protection Act 2018. Prosecution costs will be considered at a Proceeds of Crime hearing listed for 5 March 2025. 

Section 55 of the old Data Protection Act 1998 can still be used to bring a prosecution where an offence pre-dates the current Section 170 of the Data Protection Act 2018, as in the above case. It is interesting to note that the ICO also cited section 1 of the Computer Misuse Act 1990 which carries a maximum of 2 years imprisonment on indictment.   

In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving Section 170 offences were investigated by its Criminal Investigations Team. The most recent of these was in September 2024, when an employee pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for. He was ordered to pay a fine of £1,200 and £300 costs. 

It is important to note that, if a disgruntled or rogue employee commits a data protection offence, the employer may also be liable for the consequences. More on our recent blog on this subject. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 

Police Service of Northern Ireland Fined £750,000 for GDPR Breach 

The Information Commissioner’s Office has issued a GDPR fine of £750,000 to the Police Service of Northern Ireland (PSNI) for a personal data breach affecting thousands of officers.  

In August 2023, in response to a Freedom of Information (FoI) request, the PSNI mistakenly divulged information on “every police officer and member of police staff”, a senior officer said at the time. The FoI request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. This contained the surnames of more than 9,483 PSNI officers and staff, their initials and other data, but did not include any private addresses. The information was published on the WDTK website for more than two hours, leaving many fearing for their safety. 

The ICO investigation found that simple-to-implement procedures could have prevented the breach. The ICO’s statement said: 

“Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.” 

On 26th June 2024, the ICO announced that it will review the two-year trial before making a decision on the public sector approach in the autumn. The Notice of Intent issued to the PSNI before this fine was issued, was also in the sum of £750,000.  

In August this year, the ICO issued a Notice of Intent £6.09 million to an NHS IT supplier, Advanced Computer Software Group Ltd (Advanced), following a significant data breach in 2022. This came after the ICO found that the company failed to adequately protect the personal data of 82,946 individuals. It will be interesting to see if, here too, the actual fine will be the same as the notice.