The Information Commissioner’s Office issued fewer fines in the first half of 2025 than in previous years. Yet it collected seven times more money than it did throughout the whole of 2024.
The average fine jumped from £150,000 to over £2.8 million. The ICO has moved from issuing regular small penalties to targeting serious data breaches with much heavier financial consequences.
For data controllers and processors, this signals a clear shift in enforcement strategy. Understanding what’s driving these record penalties helps you avoid becoming the next example.
The Numbers Tell a Clear Story
In the first six months of 2025, the ICO issued just six fines totalling approximately £5.6 million. That’s already double the entire £2.7 million collected across 18 fines throughout 2024.
When you include October’s Capita settlement, the 2025 total reaches £19.6 million from just seven cases. That’s a sevenfold increase in revenue from one-third the number of enforcement actions.
The composition of these fines has changed too. Two-thirds were issued for UK GDPR breaches in H1 2025, compared to just one-sixth in 2024. The ICO is clearly prioritising data protection failures over other regulatory violations like spam or marketing consent issues under PECR.
The Year’s Biggest Cases
Three cases dominate the 2025 enforcement landscape, each revealing different aspects of the ICO’s current priorities.
Capita: £14 Million for Slow Incident Response
In October, Capita received the ICO’s largest ever settlement at £14 million. The original proposed fine was £45 million, but Capita received a substantial reduction for settling early and not appealing.
The breach affected 6.6 million people across multiple organisations. The core failure? A 58-hour delay in quarantining a compromised device after detecting suspicious activity.
According to the ICO’s announcement, the company failed to act quickly enough to contain the breach. This wasn’t about sophisticated technical failures. It was about poor incident response procedures and delayed decision-making.
Advanced: £3.07 Million and a New Precedent
In March, Advanced Computer Software received £3.07 million for a ransomware attack that disrupted 82 NHS organisations. This fine is significant for two reasons.
First, it’s the ICO’s first major enforcement action against a data processor rather than a controller. For years, processors operated with minimal fear of direct ICO action. That era has ended.
Second, the technical failures were preventable. Advanced failed to implement multi-factor authentication across critical systems and left known vulnerabilities unpatched. These aren’t obscure security gaps. They’re basic controls that any processor handling NHS data should have deployed years ago.
23andMe: £2.31 Million for Credential Stuffing
In June, genetic testing company 23andMe was fined £2.31 million after a credential stuffing attack compromised 155,000 UK user accounts. The original proposed fine was £4.59 million, reduced by approximately 50% after the company made representations.
Credential stuffing succeeds when users reuse passwords across multiple sites and organisations don’t implement adequate protection. 23andMe failed to deploy sufficient security measures to detect and prevent automated login attempts at scale.
All three cases share a pattern: the ICO offered substantial discounts for early settlement and cooperation. But even with these reductions, the final penalties are orders of magnitude higher than historical averages.
Common Compliance Failures
The 2025 cases reveal recurring technical and organisational failures that organisations continue to overlook. The ICO’s detailed findings in the Capita enforcement notice highlight four critical areas that apply across all major cases this year.
Inadequate multi-factor authentication deployment. Despite years of guidance, many organisations still run critical systems without MFA. This isn’t about legacy infrastructure anymore. Modern identity systems make MFA straightforward to implement.
Failure to prevent privilege escalation. The ICO found that Capita did not implement a tiering model for administrative accounts. This allowed attackers to escalate privileges, move laterally across multiple domains, and compromise critical systems. These failings were flagged as vulnerabilities on at least three separate occasions but were not remedied.
Slow incident response. The Capita case demonstrates that detection without action creates liability. A high priority security alert was raised within ten minutes of the breach, but Capita took 58 hours to respond appropriately—against a target response time of one hour. Having security monitoring tools doesn’t help if your escalation procedures can’t support rapid containment.
Penetration test findings not remediated. The ICO specifically noted that systems processing millions of records were only subject to a penetration test upon being commissioned, with no subsequent testing. Worse, findings from penetration tests were siloed within business units, meaning risks affecting the wider network were not universally addressed.
These aren’t emerging threats requiring cutting-edge security expertise. They’re foundational controls that have been in the NCSC guidance for years.
What’s Coming in 2026
Three trends will shape ICO enforcement over the next 12 months.
Processors in the Firing Line
The Advanced fine establishes clear precedent: processors face direct financial penalties for security failures, not just loss of contracts or reputational damage. If you process data on behalf of others, you’re now in the same enforcement category as data controllers.
This matters particularly for cloud providers, SaaS platforms, and outsourced service providers. Your contracts might say controllers are responsible, but the ICO will assess your technical controls directly.
Expanded Powers Through New Legislation
The Cyber Security and Resilience Bill is working through Parliament and will expand the ICO’s powers to enforce cyber security standards beyond data protection requirements. The regulator will be able to mandate specific technical controls and assess cyber resilience more broadly.
There’s also a clear pattern emerging: public sector organisations receive reprimands for identical failures that would trigger substantial fines in the private sector. The regulatory burden falls disproportionately on commercial organisations.
Focus on Systematic Failures
The ICO is moving away from fining organisations for one-off breaches caused by unusual circumstances. Instead, enforcement targets systematic failures in governance, security architecture, and incident response.
This means your security programme needs documented processes, evidence of continuous improvement, and clear accountability structures. The “we take security seriously” defence doesn’t work without supporting evidence.
Seven Priorities for 2026
Based on 2025’s enforcement patterns, your data protection and security programme should focus on these areas:
- Deploy MFA everywhere. Not just on email. On all administrative access to systems that process personal data.
- Fix your patch management. Create a documented process with defined timescales for different severity levels. Actually follow it.
- Test your incident response. Run realistic scenarios quarterly. Measure time to detection, escalation, and containment. Fix what doesn’t work.
- Remediate pen test findings. If you can’t fix something, document why and what compensating controls you’ve implemented. Empty acceptance of risk isn’t acceptable.
- Review processor contracts. Your processors need to demonstrate their security controls, not just contractually promise them. Request evidence.
- Document everything. The ICO’s enforcement decisions reference organisations’ inability to demonstrate what controls were in place. Documentation isn’t bureaucracy anymore. It’s your primary defence.
- Train your people. Security controls fail when staff don’t understand why they matter or how to use them properly. Training isn’t a tick-box exercise.
These aren’t revolutionary recommendations. They’re foundational practices that most organisations claim to do but fail to implement consistently.
The ICO’s enforcement strategy in 2025 sends a clear message: basic security hygiene isn’t optional, delays in incident response create massive liability, and processors face the same scrutiny as controllers. The financial stakes have increased sevenfold in a year.
If you need help building practical data protection and security awareness across your organisation, Measured Collective provides GDPR and data protection training designed for everyone—we make complex regulations digestible and easy to understand. Understanding these risks is the first step. Taking action is what matters.
