Privacy Updates

Latest news and updates on Global Data Privacy.

June 2025

£2.3 million fine for 23andMe

The ICO has fined genetic testing firm 23andMe £2.31 million following a large-scale credential‑stuffing attack in 2023 that exposed the sensitive personal and genetic data of at least 150,000 UK users—part of a global toll of around 7 million accounts.

The breach went undetected for months; stolen data surfaced on Reddit and hacker forums.

ICO stressed the company's failure to implement basic safeguards like multi‑factor authentication, calling the breach “profoundly damaging”.

Users whose DNA data was compromised have reported anxiety that their “genetic makeup” cannot be changed.

£3 million fine levied on Capita

In March 2025, the ICO also fined outsourcing firm Capita £3 million over a 2023 ransomware breach that exposed sensitive client data, including pension records.

The attack was attributed to unpatched systems, highlighting recurring issues in large service providers.

 Marks and Spencers

The ICO confirmed it is investigating cyber‑incidents at major retailers, including Marks & Spencer and the Co‑op, and is collaborating with the NCSC to assess impacts.

M&S disclosed that a ransomware attack during Easter harvested names, addresses, and order histories, although payment details were safe

ICO - April 2025.

IThe Information Commissioner's Office (ICO) has recently intensified its efforts to protect personal data and enforce compliance across various sectors. In April 2025, the ICO published a report scrutinising how financial services collect and use children's data, focusing on products like savings accounts and prepaid cards. Earlier, in January, the ICO launched a strategy targeting cookie compliance among the UK's top 1,000 websites, aiming to ensure users have meaningful control over their online data. Additionally, the ICO has taken action against public authorities for failing to meet Freedom of Information obligations, including issuing enforcement notices to Sussex Police and South Yorkshire Police for significant backlogs in responding to information requests.