United Kingdom
Capita fined £14mn by the ICO for 2023 cybersecurity failures
- The UK Information Commissioner’s Office (ICO) fined Capita £14 million for failing to ensure the security of personal data in a 2023 cyber attack that exposed information on 6.6 million people.
- The ICO found serious deficiencies in Capita’s cybersecurity, including slow response to breach alerts, poor privilege management, and inadequate penetration testing.
- Sensitive data such as criminal records, financial details, and pension information was compromised due to highlighted insufficient technical and organisational safeguards.
- The ICO stressed that no organisation is too large to ignore its data protection duties, urging all companies to adopt proactive cybersecurity measures and follow National Cyber Security Centre (NCSC) guidance to prevent similar incidents.
UK hit by record number of cyber attacks, NCSC reports
- The UK’s National Cyber Security Centre (NCSC) reported a record of 204 nationally significant cyber incidents between September 2024 and August 2025, compared to 89 the previous year, representing an average of 4 attacks per week.
- 18 incidents were classified as “highly significant”, reflecting a sharp rise in attacks targeting critical sectors such as energy, healthcare, and government, often linked to Advanced Persistent Threat groups.
- The NCSC warned that delayed adoption of basic security measures remains a key factor in successful breaches, encouraging organisations to prioritise cyber resilience as essential to business survival and national security.
- In response, the UK government is pressing FTSE 350 leaders to treat cyber defence as a board-level priority and has launched new support measures, including the Cyber Action Toolkit and expanded Cyber Essentials certification with added insurance incentives.
United States
US ambassador encourages EU-US cooperation on AI and tech regulation
- US Ambassador to the EU Andrew Puzder called for a potential unified transatlantic approach to AI regulation, emphasising that collaboration could create rules that work for both the EU and the US.
- Puzder warned against overregulation, suggesting that excessive EU tech laws could hinder innovation and attract continued scrutiny from the US, which is leading in the tech field.
- Despite political tensions over measures like the Digital Services Act and digital taxes, the ambassador noted shared regulatory interests, citing parallel EU and US cases against Google for competition breaches.
Massachusetts hacker sentenced to prison for massive data breach and extortion of PowerSchool
- 20 years old Matthew Lane was sentenced to four years in prison for hacking education software provider PowerSchool and stealing the personal data of over 60 million students and 10 million teachers across the US.
- He used stolen credentials to access PowerSchool’s network, exfiltrated sensitive data including social security numbers, and demanded $2.85 million in bitcoin to prevent public release.
- The court also ordered Lane to pay $14 million in restitution, highlighting the severe financial and privacy consequences of large-scale cyber extortion.
Europe
Italian regulator stops deepfake “undressing” app over data protection risks
- The Italian Data Protection Authority has ordered an immediate suspension of personal data processing by Clothoff, a British Virgin Islands-based app that generates fake nude images using AI.
- The app lacks consent verification and transparency mechanisms, allowing users, including minors, to upload photos without confirming permission from those depicted.
- It raises serious risks to privacy, human dignity, and personal data, particularly concerning potential exploitation and the creation of non-consensual explicit content.
- A broader investigation into “nudifying” apps has been launched to assess their compliance with data protection law and to curb the misuse of deepfake technologies.
France opens cybercrime investigation into Apple’s Siri data collection
- The Paris public prosecutor has launched an investigation into Apple over alleged unlawful collection and processing of Siri voice recordings, following a complaint from a French NGO.
- A whistleblower revealed that subcontractors listen to thousands of Siri recordings, potentially exposing confidential and identifiable user information without consent, to improve the quality of Siri’s responses.
- The case follows a class action in France and a $95 million settlement in the US, highlighting ongoing scrutiny of Apple’s data handling and compliance with EU privacy standards, although Apple argues that no recordings are kept with Siri unless the user agrees explicitly.
International
Singapore to establish Online Safety Commission with powers to block harmful content
- Singapore is creating an Online Safety Commission with the authority to order social media platforms and internet providers to block harmful content, including posts involving harassment, child pornography, and abuse of intimate images.
- The new law, expected to take effect by mid-2026, will also give victims’ rights to reply and allow authorities to ban offenders from accessing platforms.
- The initiative strengthens Singapore’s online safety and cyber-harm framework, complementing the Online Criminal Harms Act introduced in 2024, under which Meta was already threatened with significant fines for failing to tackle impersonation scams.
