Data Protection Case Study: Lessons from the ICO’s Largest Fines in 2025

Table of Contents

Introduction

In this case study, we examine the largest data-privacy penalties issued by the UK’s Information Commissioner’s Office (ICO) in 2025. The ICO is the independent regulatory authority responsible for upholding information rights, enforcing data-protection laws, and ensuring that organisations handle personal data responsibly under the UK GDPR and the Data Protection Act 2018.

The primary goal of this review is to highlight the regulatory and financial exposure that UK financial institutions face when they fail to comply with data protection obligations, particularly regarding cookie consent, tracking technologies, data transparency, and security practices. By understanding the nature of these breaches and the reasons behind the penalties, organisations can better assess their own exposure and take proactive steps to strengthen compliance before issues escalate.

Background

With the ICO issuing higher penalties and conducting more detailed investigations, organisations can no longer rely on outdated data-protection practices. Non-compliant websites, particularly those with weak cookie consent and tracking controls, now pose a significant risk to both regulatory compliance and financial stability.

UK’s Largest Data-Protection Fines

In 2025, the ICO issued several significant penalties for failures to implement adequate technical and organisational measures, particularly in relation to cyber attacks and data security governance. 

The largest fines were given to the CAPITA Group, where both Capita Pension Solutions Ltd (£6M) and Capita PLC (£8M) were penalised after a major cyber-attack exposed serious shortcomings in their security controls and incident response processes. In March 2023, the breach resulted in the theft of data belonging to around 6.6 million individuals, including pension scheme members, staff records, and customers of organisations relying on Capita’s services. The attackers accessed nearly one terabyte of personal and sensitive information (from pension details to financial and special-category data) before Capita shut down the compromised system. The regulatory investigation revealed multiple failings: unresolved known vulnerabilities, privileged admin accounts lacked proper tiering, allowing unauthorised lateral movement across domains; the company’s Security Operations Centre (SOC) was understaffed; and a slow action to contain the breach, as the firm took 58 hours to isolate the breached device, far beyond the target response time of one hour.

Other notable enforcement actions of the ICO included: 

  • Birthlink (£18K), fined for insufficient safeguards that led to the loss of irreplaceable personal records; 
  • 23andMe (£2.31M), penalised for inadequate protection of highly sensitive genetic data and a delayed response to a prolonged cyber-attack affecting over 155,000 UK users and 
  • Advanced Computer Software Group Ltd (£3.07M), fined after a ransomware attack exploited an account without multi-factor authentication, putting the data of more than 79,000 individuals at risk.

These rulings reinforce a consistent message from the ICO that inadequate security controls and outdated data-protection practices leave organisations, particularly those managing sensitive or high-volume data, vulnerable to severe enforcement action and substantial fines.

Main challenges

Laws such as UK GDPR, Data Protection Act 2018 and international frameworks continue to evolve. Companies struggle to keep policies, processes, and technical systems aligned with shifting requirements.

Many organisations still rely on outdated or poorly configured Consent Management Platforms. This leads to invalid consent, data loss, or unlawful tracking — one of the most common causes of regulatory action.

Even with strong policies in place, many organisations struggle to implement privacy requirements correctly. Consent signals often fail to fire as intended, tracking scripts load without valid consent, and cookies are miscategorised. These technical gaps create a disconnect between legal obligations and system behaviour, exposing companies to an unjustified risk.

Our goals

Our team ensures that principles like data minimisation, purpose limitation, and transparency are not just stated in policy documents, but are built directly into your technical controls and operational workflows. This eliminates ambiguity and creates a unified, privacy-first framework your teams can confidently rely on.

Too often, legal teams draft policies or procedures, IT teams build systems, and marketing teams activate data, yet these functions rarely communicate in a structured, ongoing way. This disconnect opens critical gaps where compliance issues commonly arise: policies that can’t be operationalised, systems that don’t reflect legal requirements, and data practices that drift away from regulatory expectations.

This is exactly where we add value. With both compliance specialists and technical experts in-house, we bridge these silos, translate requirements across teams, and build solutions that are legally sound, technically feasible, and operationally sustainable.

Related Case Studies

Tracking & Payment Failure in Checkout Flow

DV360 Floodlight Remarketing Tag Setup

Implementing Cookiebot CMP for Compliance & Marketing Enablement

Tag Data Trust

Want the same results?

Get in touch to see how we can help you today.

Contact Us
Scroll to Top