UK Data Protection Incidents and Enforcement Actions
A UK local authority disclosed personal data during its complaints-handling process after forwarding complaints to a councillor with all complainants’ identifying details included, despite some complainants opting to withhold their names. The information reportedly exposed included sensitive contact details (e.g., home addresses, email addresses, phone numbers) that would not normally be shared with the subject of a complaint, raising a data protection breach and governance concerns around how complaint records are processed and redacted.
Separately, the UK Information Commissioner’s Office (ICO) won a court battle in its long-running attempt to uphold a £500,000 fine against DSG Retail (owner of Currys PC World and Dixons Travel) tied to a major 2017 breach in which malware was installed on 5,390 point-of-sale tills and remained undetected for nine months. The incident involved theft of 5.6 million payment card numbers and expiry dates (without cardholder names) and personal data relating to roughly 14 million individuals; a central legal dispute is whether the payment card data alone constitutes personal data under the applicable pre-GDPR regime. A third item argues for using tax incentives (modeled on green-energy policy) to drive “security by design” and improve cybersecurity outcomes, but it is a policy opinion piece rather than reporting on a specific incident or enforcement action.
Related Entities
Organizations
Sources
Related Stories
Rising Regulatory and Governance Pressure on Data Protection and Cybersecurity
European regulators issued roughly **€1.2B** in **GDPR** fines in 2025 and received an average of **443 personal data breach notifications per day**, signaling increased enforcement and reporting volume alongside overlapping disclosure regimes such as **NIS2** and **DORA**. Ireland remained a leading enforcement authority, including a **€530M** fine against **TikTok**, while large technology firms continued to account for most of the largest penalties; cumulative GDPR penalties since 2018 were reported at **€7.1B**. In the U.S., an **HHS Office of Inspector General** management challenges report highlighted persistent federal healthcare cybersecurity gaps, including inconsistent governance and controls across HHS divisions and heavy dependence on contractors and grantees to implement security measures—conditions that complicate prevention and response as ransomware and other attacks continue to target healthcare. Separately, an academic study on insider risk reported that **58%** of surveyed college students in technology-related programs said they would violate **HIPAA** and disclose patient data for sufficient payment, underscoring the human/insider threat dimension that can drive breach risk and downstream regulatory exposure.
1 months ago
UK ICO Fines Police Scotland for Excessive Mobile Phone Extraction and Unlawful Disclosure
The UK **Information Commissioner’s Office (ICO)** fined **Police Scotland £66,000** and issued a reprimand after finding “serious” data protection failures tied to the handling of an alleged victim’s mobile phone data. Investigators extracted the *entire contents* of the phone when only specific communications were needed for a criminal inquiry, resulting in the collection of a substantial volume of **highly sensitive “special category” data** unrelated to the investigation. The ICO found that the unredacted full extraction was later mishandled during internal processes: the complete phone dump was included in a professional standards/misconduct disclosure bundle and **shared with a third party who should not have received it**, exposing sensitive victim information. Reporting emphasized the case as a governance and controls failure around **data minimisation**, secure handling of digital evidence, and staff training within policing and criminal justice organizations.
6 days ago
Healthcare and public-sector data breaches and breach-related litigation
Multiple organizations reported **unauthorized access and data exposure events** affecting large populations, with several incidents tied to third-party systems or business associates. The Minnesota Department of Human Services notified nearly **304,000** people after a user associated with a licensed healthcare provider accessed demographic records in the *MnChoices* system (managed by vendor **FEI Systems**) beyond what was authorized; most impacted records were demographic data, with a smaller subset including some medical information and, for some, the last four digits of SSNs. Monroe University reported a **December 2024** intrusion with data exfiltration affecting about **320,973** individuals, with exposed data potentially including SSNs, government IDs, financial account information, and health/insurance data; notification letters began in early January 2026. Separately, Mid Michigan Medical Billing Service disclosed a **March 2025** cyberattack that exposed PHI for **28,185** individuals across healthcare clients, and VillageCareMAX reported a breach involving business associate **TMG Health** (details referenced as part of a broader business-associate breach update). Other items in the set describe distinct, unrelated security stories rather than the same incident: an underground-market sale of **Raaga** user data (10.2M records, including passwords stored as **unsalted MD5 hashes**), a settlement in litigation tied to the **Veradigm** breach (over 2M patients; **$10.5M** class-action settlement), and a **ransomware** incident at **Valley Eye Associates** where a group identified as **Qilin** claimed exfiltration (139 GB) and published data. Additional references include commentary on UK government handling of an **Afghan data breach** (spreadsheet emailed outside the MoD and use of an injunction) and broader analysis of healthcare breach trends and UK ambulance-service breach reporting; these provide context but do not describe the same specific event as the Minnesota DHS or other named incidents.
1 months ago