Privacy Updates

Latest news and updates on Global Data Privacy.

Data Breach Update March 2026:

Lloyds Banking Group & Companies House

Recent incidents involving Lloyds Banking Group and Companies House highlight ongoing risks around data security, even within major UK institutions.

Lloyds Banking Group Incident
In March 2026, a technical glitch across Lloyds, Halifax, and Bank of Scotland digital platforms temporarily exposed customer data. Some users were able to view other customers’ transaction histories and personal financial details within mobile and online banking services. (Reuters)

The issue was attributed to an internal IT failure rather than a cyberattack and was resolved quickly. However, the incident has prompted scrutiny from regulators, including the Information Commissioner’s Office (ICO) and the UK Treasury Committee, raising concerns around digital resilience and data governance. (Reuters)

Companies House Data Breach
Separately, Companies House confirmed a significant system vulnerability linked to a software update introduced in October 2025. The flaw reportedly persisted for several months and may have exposed sensitive information such as directors’ dates of birth, residential addresses, and company email details. (Financial Times)

There were also concerns that unauthorised changes to company records could have been made via the system. While no cyberattack has been confirmed, the organisation has self-reported the breach to regulators and is conducting an ongoing investigation. (Financial Times)

Key Takeaways
These incidents reinforce several critical points for organisations:

  • Even non-malicious technical failures can result in reportable data breaches

  • Access controls and system testing remain essential during updates and deployments

  • Regulatory scrutiny is increasing, particularly where large-scale or sensitive data exposure is involved

Organisations should review their incident response processes, system change controls, and data protection measures to mitigate similar risks.

If you would like support reviewing your data protection framework or incident response readiness, please get in touch.

June 2025

£2.3 million fine for 23andMe

The ICO has fined genetic testing firm 23andMe £2.31 million following a large-scale credential‑stuffing attack in 2023 that exposed the sensitive personal and genetic data of at least 150,000 UK users—part of a global toll of around 7 million accounts.

The breach went undetected for months; stolen data surfaced on Reddit and hacker forums.

ICO stressed the company's failure to implement basic safeguards like multi‑factor authentication, calling the breach “profoundly damaging”.

Users whose DNA data was compromised have reported anxiety that their “genetic makeup” cannot be changed.

£3 million fine levied on Capita

In March 2025, the ICO also fined outsourcing firm Capita £3 million over a 2023 ransomware breach that exposed sensitive client data, including pension records.

The attack was attributed to unpatched systems, highlighting recurring issues in large service providers.

 Marks and Spencers

The ICO confirmed it is investigating cyber‑incidents at major retailers, including Marks & Spencer and the Co‑op, and is collaborating with the NCSC to assess impacts.

M&S disclosed that a ransomware attack during Easter harvested names, addresses, and order histories, although payment details were safe

ICO - April 2025.

IThe Information Commissioner's Office (ICO) has recently intensified its efforts to protect personal data and enforce compliance across various sectors. In April 2025, the ICO published a report scrutinising how financial services collect and use children's data, focusing on products like savings accounts and prepaid cards. Earlier, in January, the ICO launched a strategy targeting cookie compliance among the UK's top 1,000 websites, aiming to ensure users have meaningful control over their online data. Additionally, the ICO has taken action against public authorities for failing to meet Freedom of Information obligations, including issuing enforcement notices to Sussex Police and South Yorkshire Police for significant backlogs in responding to information requests.