United Kingdom
Lloyds Bank questioned by ICO for overuse of staff banking data and potential breach
- The ICO is investigating Lloyds Banking Group for accessing the personal financial data of 30,000 employees to use during union pay negotiations.
- Lloyds used aggregated spending and savings data from staff bank accounts to argue that low-paid employees were financially stable, raising concerns about whether this violated data privacy rules.
- If found guilty of a breach, the ICO has the power to fine the group up to 4% of its annual turnover, which could result in a penalty of approximately £1.36 billion.
Government and ICO sign agreement to raise data protection standards
- The Government and the ICO have agreed on raising data protection standards across public sector organisations.
- Following a series of breaches, including one to the Ministry of Defence, the Government has committed to rebuilding public confidence by enhancing accountability and transparency in how personal information is handled.
- The ICO, as part of the agreement, will provide advice, scrutiny, and challenge to ensure compliance.
- As part of the commitment, the Government will publish an annual assurance statement, detailing progress on data protection improvements.
United States
Texan data broker fined by California regulators after selling millions of sensitive data
- The California Privacy Protection Agency fined Texas-based company Datamasters $45,000 and permanently banned it from selling Californians’ data after the company failed to register as a data broker.
- The broker maintained massive databases of highly sensitive information, including records for over 400 thousand Alzheimer’s patients, 2.3 million visually impaired individuals, and lists categorized by ethnicity.
- This case highlights a major loophole where health data sold by brokers is not protected by HIPAA. For this reason, starting in 2028, California will mandate independent audits every three years for all registered brokers to prevent exploitation of sensitive information.
Nigeria-US partnership on data privacy, AI, and cybersecurity reaffirmed
- The National Information Technology Development Agency (NITDA) Director-General reaffirmed a partnership between Nigeria and US focused on data privacy, Artificial Intelligence, and cybersecurity to build a secure and trusted digital ecosystem.
- The collaboration builds on agreements made in April 2024 via the US-Nigeria Binational Commission, which have already resulted in joint AI conferences and technical engagements with American cybersecurity firms.
- Moving forward, Nigeria plans to elevate its National Cybersecurity Conference into a global platform, inviting US and international tech firms to showcase technologies and partner with local Nigerian innovators.
Europe
CNIL fines Free Mobile €42 million over 2024 data breach incident
- The French regulator CNIL imposed cumulative fines of €42 million on Free Mobile and its parent company, Free, following a massive 2024 data breach that affected over 23 million customers.
- The investigation revealed negligent security, including weak password requirements for employee VPNs and ineffective systems for detecting abnormal activity, which allowed hackers to access a central management tool.
- The stolen information included names, addresses, and bank identifiers for roughly 25% of the data subjects
- Furthermore, the CNIL sanctioned the companies for excessive data retention and for failing to clearly inform users about the specific risks of the breach.
Amazon launches new Europe-based cloud service to address user concerns
- AWS launched a sovereign European Cloud which is claimed to be “physically and logically separate” from all other global AWS regions.
- The system is managed exclusively by a German company. All operations, technical support, and data centres are handled by EU residents, with a long-term requirement that all employees must hold EU citizenship.
- Unlike standard cloud setups where some metadata (like login roles or billing info) might travel to global servers, this sovereign cloud keeps all data and metadata strictly within EU borders.
- AWS is investing over €7.8 billion in the project, starting with a primary hub in Brandenburg, Germany.
International
Korean Air data breach impacts 30,000 employees
- A Korean Air data breach has affected thousands of employees after hackers breached the airline’s supplier, Korean Air Catering & Duty-Free (KC&D).
- Approximately 30,000 current and former employees had their names and bank account numbers compromised.
- The Russian-speaking Clop ransomware group claimed responsibility for the attack. In late 2025, the group published roughly 500GB of stolen archives on the dark web after KC&D likely refused to pay a ransom.
- Korean Air has issued emergency warnings to all staff to ignore suspicious requests for security card numbers or money transfers. The airline is also conducting a full audit of KC&D’s security protocols.
For the latest updates on the Lloyds Bank ICO investigation, UK public sector data protection reforms, US data broker enforcement, EU GDPR fines, and major global data breaches, visit our Data Protection News hub.
