ICO News : Takeaways from Recent ICO Cases

Over the past few months, the UK Information Commissioner’s Office (ICO) has issued a series of enforcement actions that underscore a recurring regulatory concern: data breaches that, in the ICO’s view, were not merely accidental but the result of organisations failing to implement even basic data protection safeguards—violations of their accountability obligations under the UK GDPR.

These decisions,  concerning companies ranging from health IT and genetic testing to a law firm, demonstrate how the ICO is now interpreting data breach-related obligations under the UK GDPR, with a clear expectation of proactive, documented, and risk-based security governance.

This article examines three such cases. While each relates to a different sector and breach type, the underlying patterns are strikingly similar. Rather than detailing each enforcement case exhaustively, the focus here is on understanding the ICO’s rationale for practical lessons that organisations can apply across industries.

Nevertheless, a brief background on each case is provided to help contextualise the ICO’s decisions.

Advanced – £3.07M fine (March 2025)

Advanced, a software provider serving the UK’s National Health Service (NHS), suffered a ransomware attack in August 2022 that led to significant disruption across UK healthcare systems. The attackers exploited a customer account without multi-factor authentication (MFA) and then took advantage of well-known system vulnerabilities to infiltrate and escalate privileges within the environment.

The investigation revealed that Advanced had neither conducted regular vulnerability scanning nor maintained a reliable patching schedule. Where penetration testing had been performed, some of the vulnerabilities identified were not addressed and were later exploited during the attack. The ICO concluded that the organisation failed to ensure ongoing resilience and lacked any effective process for testing or evaluating its security posture—both requirements under Article 32 para. 1 lit. b UK GDPR.

23andMe – Notice of intent to fine £4.59M (March 2025)

The genetic testing firm 23andMe experienced a large-scale breach affecting approximately 6.9 million users, many of whom had linked their data with family members via the platform. Attackers relied on credential stuffing—a method that uses usernames and passwords leaked from unrelated data breaches—to access accounts. Because MFA was not enforced and many users had reused passwords, the attackers gained access to a broad array of genetic and ancestry information.

The ICO viewed this not merely as a technical lapse, but as a fundamental governance failure. The threat of credential stuffing had long been known in the industry, and the absence of layered security measures—particularly MFA—represented a failure to implement reasonable security practices. While the enforcement process is still ongoing, the provisional penalty notice highlights that well-understood risks require pre-emptive mitigation and that the reuse of login credentials should never be treated as unforeseeable.

The case highlights how data protection obligations extend beyond technical implementation and into corporate governance, particularly where sensitive data and high-risk profiling are concerned.

Of further interest is the context of 23andMe’s bankruptcy proceedings initiated under Chapter 11 in the US, which raises complex data protection questions concerning the handling of customer data during corporate restructuring or a potential sale.

Both the UK and Canadian data protection authorities confirmed they are closely monitoring the situation. Notably, the ICO has reiterated that 23andMe remains subject to the UK GDPR and that any prospective purchaser must continue to comply with UK data protection legislation. As emphasised by the ICO, “Any potential buyer of 23andMe must comply with UK GDPR, including the restrictions imposed on the use or disclosure of personal information for purposes other than those for which it was originally collected”.

DPP Law Ltd – £60,000 fine (April 2025)

Perhaps the most revealing of the three is the ICO’s decision against DPP Law Ltd, a UK firm specialized in criminal law, family law and actions against police, which therefore processes also highly sensitive personal data (e.g. information related to sexual offences, DNA data, legally privileged information and allegations of criminal offences).

In June 2022, the firm suffered a cyberattack that compromised client data later posted on the dark web. . The breach was not discovered internally but came to light only after the National Crime Agency informed DPP that client information had been posted on the dark web.

A third-party forensic investigation later revealed that attackers had gained access through a brute-force attack on a legacy administrator account linked to a discontinued case management system. The account had extensive and unrestricted privileges across DPP’s network and had remained active without monitoring or suspension. The attacker used this access to exfiltrate approximately 32 GB of data.

Crucially, the ICO found that the breach was preventable. DPP had failed to implement what, in the eyes of the Authority, are seen as common best-practices and measures such as limiting administrative access, conducting access reviews, or deactivating dormant accounts. These were not advanced security controls, but rather routine actions the ICO described as “straightforward” and that “could have been implemented prior to the incident at minimal cost”.

Furthermore, DPP did not initially treat the incident caused by the ransomware attack as a reportable breach, misunderstanding that the loss of access—alone—constitutes a personal data breach under the UK GDPR. As a result, notification to the ICO occurred 43 days after DPP became aware of the incident, far beyond the 72-hour reporting window under Article 33.

Recurring Failures and Key Lessons Across Cases

Despite the differences in sector—IT services, biotech, and legal—these cases revealed shared weaknesses in fundamental data protection practices. At the same time, according to the ICO such weaknesses must be addressed also as best practices:

• Multifactor Authentication (MFA) was either not used or inconsistently applied, despite being a long-established industry standard. The ICO expects MFA as a minimum safeguard, especially for administrator and customer-facing accounts.
• Mismanagement of administrator accounts, especially dormant or legacy ones.
• Data retention and minimisation policies were either absent or ignored particularly for special category data.
• Patch management and vulnerability scanning was neglected, allowing known exploits to remain unaddressed. .
• Risk assessments were missing or superficial, even where high risk processing activities were performed.
• Breach monitoring, detection, and response to unauthorised access or system anomalies were weak or delayed

In each case, the ICO underlined that these failings were avoidable. Organisations are expected to take proactive, risk-based measures to comply with Articles 32 UK GDPR, not simply respond after the fact.

Case Takeaways

Each case demonstrates that the ICO expects organisations to adopt not just basic technical measures, but a strategic and well-documented approach to data governance.

• Basic security measures like MFA, patching, and monitoring are non-negotiable.
• DPIAs must be real tools for risk analysis—not box-ticking exercises.
• Breach response plans must be operational, not theoretical.

Accountability must be embedded in governance, with privacy professionals empowered to act—not sidelined.

If your organisation processes sensitive data or operates in a high-risk sector, these cases offer an unambiguous message: regulatory tolerance for basic security lapses is diminishing. The ICO’s decisions are not simply punitive—they are intended as sector-wide guidance for what “appropriate” measures look like in practice. Learning from others’ mistakes is not just prudent; it may be essential to avoiding the next enforcement notice.

These cases reinforce the value of embedding qualified privacy expertise within organisations. Whether via a designated Data Protection Officer or retained legal counsel, companies must ensure that data protection is not siloed, but woven into IT strategy, operational planning, and incident response.