Last year saw a surge in significant cyber incidents, and the Information Commissioner's Office (ICO) responded by issuing some of its heaviest penalties to date.
The top three fines together totalled nearly £19.4 million and all related to major data breaches. Whilst there was a reduction in ICO enforcement activity generally, these fines highlight the significance that the ICO places on the protection of personal data, its strategic priorities and its willingness to respond robustly when things go wrong.
Capita - £14 million
In 2023 Capita Group, a UK business process outsourcer, suffered a ransomware attack when a malicious file was inadvertently downloaded to an employee device. This enabled hackers to infiltrate the network and reset all staff passwords, blocking user access. The hackers stole over 6.6 million personal data records, including financial and special category data, as well as details of criminal records and other sensitive information.
The ICO investigation found a series of safeguarding failures, from a failure to prevent unauthorised lateral movement across domains, to a failure to respond promptly to security alerts. Despite an alert being raised within 10 minutes of the initial incident, it took Capita 58 hours to respond appropriately, 57 hours over their one-hour target.
Having intended to issue a fine of £45 million, the ICO eventually accepted a voluntary settlement of £14 million due to mitigating factors. In the wake of the incident, Capita set up a dedicated call centre to address concerns and offered 12 months of credit monitoring to affected customers. Capita submitted that no data had been lost and no significant actual harm had been suffered. Nonetheless, the Commissioner was satisfied that the potential for harm existed and decided that Capita's infringements were serious enough to warrant a penalty proportionate for a global public company.
£14 million is one of the largest fines the ICO has ever imposed, higher even than the £12.7 million fine against TikTok in April 2023, after 1 million underage users accessed the social media platform. Companies to have faced similar penalties in recent years include British Airways (£20 million) and Marriot (£18.4 million), both in 2020. We identified several takeaways from the TikTok Penalty Notice, which you can read here.
Advanced computer software - £3.07 million
The ICO also fined Advanced Computer Software Group for breaking data protection law, after a cyberattack in 2022 affected NHS and social care systems. The ICO investigation into Advanced Group was purely in the context of its role as a data processor, making this the first fine against a processor and not a controller. The Advanced Group supplies IT and software services across a number of sectors, but attackers targeted its healthcare subsidiary, Advanced Health and Care Limited, which provides software for electronic patient records and clinical decision support.
In early August 2022, hackers gained entry through a customer account that lacked multi-factor authentication (MFA). This put 79,404 people's personal data at risk and disrupted critical services, including NHS 111, an event which was widely reported at the time. Some 890 individuals receiving care at home were even put at physical risk, as the stolen data included details of how to gain entry to their homes. By late September, the Chief Executive of the Oxford Health NHS Foundation Trust reported that their patient record system remained out of action and that the incident had placed "a huge burden on colleagues".
The ICO's subsequent investigation found that Advanced Health and Care Limited "fell seriously short", in the words of Commissioner, John Edwards. The organisation had not deployed MFA consistently across its systems and had failed to undertake regular vulnerability scanning or patch management, failures which contributed to hackers gaining access to its systems.
Initially, the ICO announced a £6.09 million fine, however, this was reduced to a £3.07 million voluntary settlement to account for Advanced Group's proactive mitigation efforts. The Group spent over £21 million in remediation and response costs, which covered, for example notifying all customers within 24 hours of the incident, engaging third party experts as part of a Forensic Investigation and dedicating a team of 18 people to infrastructure restoration.
23andMe - £2.31 million
DNA Testing company 23andMe rose to prominence after its founder, Anne Wojcicki, hosted "spit parties" attended by notable celebrities. Famous customers included Oprah Winfrey and Snoop Dog, and their "spit kit" was Time Magazine's 2008 Invention of the Year.
However, in 2023, in the midst of growing financial pressures, the company suffered a major cyberattack. Through a "credential stuffing" attack, hackers exploited login credentials exposed in previous breaches to gain access to 14,601 customer accounts. This exposed highly sensitive information, including family tree and genetic data, race and ethnicity data, as well as postcodes and health reports. In total, 155,592 UK residents had their personal data stolen.
A joint UK-Canadian investigation revealed that 23andMe had failed to take basic steps to protect customer information, including failing to use unpredictable usernames (rather than email addresses) or mandatory authentication and verification measures, such as MFA. 23andMe had also failed to put systems in place to detect and respond to cyber threats, enabling hackers to carry out the attack over a period of five months. Subsequently, the ICO fined the company £2.31 million.
You can read our full article on the incident here.
Key takeaways
Although there are a number of lessons to be learned from these incidents, the ICO's attention on the importance of multi-factor authentication is worth highlighting. MFA is evidently now seen as a bare minimum requirement and first line of defence, and the ICO has demonstrated that it will come down heavily on organisations that fail to utilise it.
The Commission pointed out failures to implement MFA by all three companies mentioned in this article. Capita failed to utilise it as part of Privileged Access Management (PAM), i.e. the control of privileged accounts, even though internal tests had flagged the risks on several occasions leading up to the attack. In Advanced's case, the Commission found that full deployment of MFA would likely have impeded the hackers' access to, and exfiltration of, personal data.
The ICO was especially clear that 23AndMe's failure to mandate MFA on customer accounts constituted a direct infringement of Article 5(1)(f) UK GDPR and Article 32(1)(b) UK GDPR. The Commission was at pains to point out that MFA is the primary means of defending against credential stuffing attacks and that, in guidance published in 2018, the National Cyber Security Centre (NCSC) advised that it was of the most effective ways of providing additional protection to a password protected account.
The incidents also serve as general reminders of:
- the 'principle of least privilege', to give users the minimum access they require and to limit the number of high privileged user accounts;
- the need to plan ahead and put systems in place to monitor cyber risk; and
- the importance of swift response times in the event of attacks to contain incidents and mitigate damage.
This comes as the ICO is about to enter a new phase, with updated draft enforcement policy signalling an important step-change in approach. If current proposals go ahead, the public will have access to the names of organisations under active investigation, increasing potential reputational risk. The ICO will also have stronger investigatory powers, however, these will be balanced by a gatekeeping test and a formalised settlement process, with discounts available if organisations cooperate.
For a more in-depth conversation on enforcement trends and key legal changes in data regulation, privacy and compliance, you can view our recent Q&A webinar led by partner, Charlotte Clayson: Data Unlocked: What's new in 2025 and why it matters.
