dpas bulletin - july 29
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.
What arrests were made following the M&S cyber attack? What age checks are being introduced to adult sites? And what data breach led to thousands of Afghans being moved to the UK?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Four arrests made in investigation of M&S cyber attack
Following the major cyberattack on Co‑op earlier this year, four teenagers have been arrested in connection with the breach. The suspects, aged between 17 and 20, were detained in July as part of a wider investigation led by the National Crime Agency.
The group is believed to be linked to Scattered Spider, a cybercrime gang known for targeting major companies including Marks & Spencer and Harrods. The suspects were questioned on suspicion of hacking offences and computer misuse. At least one is thought to have had a prior role in developing or facilitating attacks on corporate infrastructure.
Read more about this here.
Thousands moved from Afghanistan to UK following 2022 data breach
Following a significant personal data breach affecting applicants to a UK-Afghanistan relocation scheme, the government quietly reopened its Afghan relocation programme. The move was made necessary after a breach compromised the details of nearly 19,000 people, prompting urgent action to ensure ongoing protection and continuity.
The reopening was conducted without public announcement, reflecting the sensitivity of the operation. Reports indicate the decision was ratified via high-level government approval, with oversight from senior officials to balance national security and humanitarian concerns. The effort highlights how data compromises can force rapid policy responses, particularly when vulnerable individuals depend on timely support and confidentiality.
Read more about this here.
Co-op confirms all 6.5 million members had data stolen
Co‑op’s chief executive, Shirine Khoury‑Haq, has issued a formal apology after confirming that the personal data of all 6.5 million members was stolen in an April cyber‑attack. The breach exposed names, addresses, and contact information, though no financial or transaction data was compromised. Khoury‑Haq described the situation as both deeply upsetting and a source of personal concern.
The incident caused significant operational disruption, including temporary supply shortages in stores and a reversion to paper-based systems in some funeral parlours. Despite early detection systems that identified the intrusion within hours, Co‑op is not expecting to recover substantial costs from insurers, having prioritised investment in detection over cyber‑insurance.
Read more about this here.
Online Safety Act shields adult content behind age verification in UK
As of 25 July 2025, UK law requires websites and apps hosting pornographic or harmful content to implement highly effective age assurance measures. Platforms must prevent under‑18s from accessing not only pornography but also content linked to self‑harm, suicide, and eating disorders.
Age verification tools include biometric scans, ID checks, bank or mobile-phone verification, or validated “age-estimation” techniques. Major platforms, such as Reddit, Bluesky, Pornhub, TikTok, Instagram, and YouTube, have begun rolling these out. Non-compliant sites risk enforcement action from Ofcom, including fines of up to £18 million or 10% of global turnover, and potentially being blocked in the UK. While regulators say this marks a bold step in child safety online, observers warn of possible privacy risks if personal data is mishandled and point to smaller platforms struggling with implementation costs. Experts note that despite efforts, determined youths may still find ways to bypass restrictions, such as via VPNs.
Read more about this here.
Amazon warns Prime customers of scam emails doing the rounds
The Guardian’s Scam Watch reported a surge in sophisticated fake emails aimed at Amazon Prime subscribers. These messages falsely claim that the cost of membership is set to rise and include a “cancel subscription” button designed to redirect victims to a counterfeit Amazon login page. Once users enter their account details, scammers can harvest login credentials, payment data, and other personal information.
Emails may appear more convincing by including personal details obtained from other sources, and some fraud also involves impersonation via phone or social media messages. The Guardian highlights that these scams aren’t carried out via Amazon itself, so victims should always verify messages through the legitimate Message Centre in their Amazon account or the official app.
To avoid falling prey to such phishing schemes, The Guardian advises readers to:
- Never click links in unexpected or suspicious emails;
- Verify sender legitimacy by checking messages directly through Amazon’s website or app;
- Enable two-step verification or Passkey logins for stronger protection;
- Monitor bank statements and act immediately in case of unauthorised activity.
Read more about this here.
The Guardian publishes advice on what to do if your driving licence is stolen
The Guardian has published advice for anyone who has lost their driving licence or had it stolen, warning that quick action is essential to reduce the risk of identity theft.
The article outlines what steps to take, including how to report the loss to the police, apply for a replacement through the DVLA or DVA, and keep a close eye on financial accounts for any signs of misuse. It also highlights the importance of considering fraud protection services and what to do if the old licence turns up after a replacement has been issued. The guidance is aimed at helping people secure their personal details and avoid falling victim to scams or impersonation.
Read more about this here.
Ransomware gang takes down 158-year-old company through one weak password
KNP Logistics Group, a long-established UK haulage and distribution company, has collapsed after a ransomware attack exploited a single weak password. The business, which employed around 700 staff and was formed through the merger of several regional carriers, provided nationwide transport and warehousing services.
Hackers accessed the company’s systems using compromised credentials. Without multi-factor authentication or reliable data backups in place, KNP was unable to recover its operations. The breach brought the business to a standstill and ultimately forced it into administration, resulting in hundreds of job losses.
Read more about this here.
ICO explains their approach to Ministry of Defence data breach
The Information Commissioner’s Office has clarified why it won’t take further regulatory action against the Ministry of Defence after a data breach exposed the personal details of over 18,000 Afghan relocation applicants.
The ICO said the breach, caused by an urgent operational error involving a spreadsheet, was not malicious and that the MoD responded swiftly and thoroughly. It noted that the Ministry had already been fined £350,000 for a similar incident in 2021 and has since taken substantial steps to improve data handling. Given the remediation already in place and the classified nature of much of the surrounding information, the ICO concluded that further enforcement would not be proportionate or in the public interest.
Read more about this here.
OpenAI signs deal with UK to use AI in public services
The UK government has signed a Memorandum of Understanding with OpenAI to explore the use of artificial intelligence across key public sectors, including health, education and justice. The partnership supports the UK’s broader AI strategy, which aims to boost computer capacity and establish “AI Growth Zones” over the next five years.
OpenAI will expand its UK operations and collaborate with the UK’s AI Safety Institute on security research. While ministers say the deal could streamline services and create high-tech jobs, critics have raised concerns over transparency, data protection, and the voluntary nature of the agreement.
Read more about this here.
Penny Mordaunt shares experience of being a victim of “deepfake porn”
Former MP Penny Mordaunt has spoken out after discovering her face had been used without consent in AI-generated pornographic content. The material, created and circulated while she was still serving in Parliament, left her feeling “humiliated” and “violated”, describing it as deliberately degrading and violent.
She became aware of the deepfakes after their inclusion in a Channel 4 documentary that revealed several high-profile female politicians, including Priti Patel, Angela Rayner and Gillian Keegan, had also been targeted. Mordaunt warned that those creating and sharing such content often fail to understand the long-term emotional and reputational harm caused to real people.
Read more about this here.
US nuclear weapons agency one of 400 organisations breached by Chinese hackers
Microsoft has revealed that Chinese-backed hacking groups exploited critical vulnerabilities in on-premises SharePoint servers, breaching more than 400 organisations, including the US National Nuclear Security Administration. The intrusions began around 7 July 2025 and were identified as the work of Linen Typhoon, Violet Typhoon, and Storm‑2603, targeting systems via authentication spoofing and remote code execution.
The attackers stole cryptographic keys, deployed web shells (notably spinstall0.aspx), and in some cases, used the vulnerabilities to distribute Warlock ransomware. Microsoft and cybersecurity firms have urged organisations using self-hosted SharePoint to apply emergency patches, enable robust endpoint defences, rotate machine keys, restart their IIS servers, and hunt for signs of compromise.
Read more about this here.
The Guardian shares article on the moral complexities of couples’ location sharing
The Guardian has published a piece exploring the growing trend of couples using real-time location-sharing apps such as Apple’s Find My and Life360. The article looks at how some couples see it as a way to build trust, stay connected and feel safer, while others view it as potentially intrusive or controlling. It highlights personal experiences alongside expert views, noting that clear communication and agreed boundaries are key to making the practice work in a healthy relationship.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.
