Data Protection News Update 23 June 2025

IGS
June 23, 2025

United Kingdom

23andMe fined £2.31 million for failing to protect UK users’ genetic data

The Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber-attack that occurred between April and September 2023.
This attack resulted in the unauthorised access to the personal information of 155,592 UK residents, potentially revealing names, birth years, ethnicity, health reports, and more. The ICO’s investigation revealed that 23andMe did not have additional verification steps for users to access and download their raw genetic data.
John Edwards, UK Information Commissioner, said: “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
This penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

Thousands of UK government laptops, phones and tablets have been lost or stolen

Freedom of information disclosures have revealed that thousands of UK government laptops, phones, and tablets worth more than £1m have been either lost or stolen. This has triggered warnings of a “systemic risk” to the United Kingdom’s cybersecurity.
The Department for Work and Pensions recorded 240 missing government laptops and 125 missing phones in 2024. In the first five months of 2025, the Ministry of Defence recorded 103 missing laptops and 387 missing phones. The Cabinet Office, which coordinates government activity, reported 66 laptops and 124 phones either lost or stolen in 2024.
Cybersecurity experts said the losses could enable hackers to create backdoors into government systems even if large parts of the hardware were encrypted. One called it “a huge national security risk”, but the government downplayed the danger, saying that encryption prevented access to bad actors.
“These are surprisingly large numbers,” said Professor Alan Woodward, a cybersecurity expert at the University of Surrey. “When you are talking about so many [it creates] a large attack surface [for hackers]. If 1% were system administrators who had their phones stolen, that’s enough to get in.”

United States

AT&T’s $177-million data breach settlement wins US court approval

On June 20^th, a U.S. judge granted preliminary approval to a $177-million (~£131,493,300) settlement that resolves lawsuits against AT&T over data breaches in 2024 that exposed personal information belonging to tens of millions of the telecommunication company’s customers.
Depending on which breach is involved, AT&T has agreed to pay up to $2,500 or $5,000 to customers who suffered losses that are “fairly traceable” to the incidents. After payments are made for direct losses, the remaining funds will be distributed to customers whose personal information was accessed.
AT&T said it denied allegations it was “responsible for these criminal acts.” A representative from the company stated: “We have agreed to this settlement to avoid the expense and uncertainty of protracted litigation.”
AT&T said it expects the settlement will be approved by the end of 2025, with settlement payments to be issued early next year.

Insurer Aflac investigating possible data leak after cyberattack

US-based health and life insurance company Aflac is investigating a breach on its U.S. network that may have exposed customer’s personal information.
The attack was carried out on June 12^th by a sophisticated cybercrime group, potentially impacting files containing personal information of Aflac’s customers, such as social security numbers and health-related details.
An Aflac representative indicated that the characteristics of the incident were consistent with the tactics used by Scattered Spider, a hacking group active since May 2022. Known for targeting multiple companies within the same industry in coordinated waves, the group has also been linked to retail cyberattacks in the UK and is currently under investigation by the UK National Crime Agency.
Earlier this week, Google’s chief threat analyst warned the insurance industry to be on high alert from attacks from Scattered Spider. The group is also reportedly behind recent outages at other US insurance companies, including Philadelphia Insurance Companies and Erie Indemnity.

Europe

EU reaches provisional agreement to speed up cross-border GDPR enforcement

On June 16^th, the European Parliament and the Polish EU Council Presidency reached a provisional agreement on new GDPR rules to improve cross-border enforcement and cooperation between national data protection authorities.
The regulation sets clear deadlines for investigations by lead supervisory authorities: 12 months for straightforward cases, 15 months for complex ones, with limited extensions. It also strengthens rights for complainants and companies, including access to case files and the right to be heard.
Member of European Parliament Markéta Gregorová called the deal a long-overdue “win for digital rights”, saying it will make GDPR enforcement faster, fairer, and more transparent.
Privacy group Noyb criticised the proposal as overly complex with excessive delays and warned it may pursue legal action if the law passes unchanged.
Experts say the regulation could lead to more consistent and timely enforcement, though its real impact will depend on how it’s implemented in practice.

International

Australia’s teen social media ban faces a new wildcard: teenagers

Australia is trialling age-checking software to support a proposed national ban on under-16s accessing social media, with companies like Meta, Snapchat, and TikTok facing fines up to AUD $49.5 million (~£23,616,697) if they fail to take “reasonable steps” to block younger users to protect their mental and physical health.
In May, about 30 students tested photo-based age estimation software tools, some of which could guess age to the month. Many students reported they could easily bypass the systems by using others’ photos.
Trial organisers found selfie-based tools to be most accurate and efficient, while credit card-based and hand-gesture tools were either impractical or too unreliable for users near the age threshold.
Concerns remain about effectiveness and enforcement: some products gave wildly inaccurate results, with one 13-year-old being estimated at 42 years old. There’s currently no official benchmark for what level of accuracy is acceptable.
Experts and stakeholders say all eyes are on Australia as other countries consider similar regulations.

Data Protection News Update 06 January 2026

United Kingdom EU renews adequacy decision with United Kingdom Update on the November Cyberattacks against London Councils United States Disney to Pay $10M over Alleged

Data and AI Ethics 2025: An IGS Roundup

As 2025 draws to a close, it’s a natural moment to pause and reflect on a year that has been transformative, for the data and AI ethics

Data Protection News Update 22 December 2025

United Kingdom Investigation after data breach affects thousands United States US pauses implementation of $40 billion technology deal with Britain Can law enforcement access Google

Data Protection News Update 15 December 2025

United Kingdom ICO warns of legal action over distressing UK care-record access process Data of Royal Cornwall Hospital’s staff disclosed in a data breach United