dpas bulletin - june 26
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news from all around the world.
When are the Data (Use and Access) Act changes rolling out? How is an Oslo-based team monitoring cyber threats to ships’ systems? And what’s being called one of the largest data breaches ever?
Read about all this and more in our latest DPAS Data Protection Bulletin.
Data (Use and Access) Bill (now act) receives Royal Assent
The Data (Use and Access) Act 2025 has received Royal Assent, introducing key enhancements to data protection legislation in the UK, aiming to help businesses innovate while maintaining personal privacy.
Some examples of these amendments are:
- Clarifies lawful use of personal data for research and automated decision-making
- Allows certain cookies without prior consent, and enables charities to use ‘soft opt-in’
- Introduces a new “recognised legitimate interests” legal basis
- Requires organisations to have a formal complaints process
- Solidifies that when responding to a Subject Access Request, only a ‘reasonable and proportionate search’ needs to be conducted
The changes will roll out over the next 12 months, and organisations are encouraged to review their use of personal data, update complaint-handling processes, and prepare for evolving compliance standards.
Read more about this here.
Vodafone fined 45 million euros for GDPR violations
Vodafone Germany has been fined €45 million for major data protection failures. The country’s data watchdog found the company had weak oversight of third-party sales agencies, some of which falsified or manipulated customer contracts. Vodafone was also penalised for poor authentication processes that left users’ eSIM profiles vulnerable to unauthorised access.
The telecoms giant has accepted the findings, paid the fine, and introduced stricter controls over partner firms and system security. The case highlights growing regulatory pressure to ensure both customer privacy and robust digital safeguards.
Read more about this here.
Police take down website used by cybercriminals to fine-tune malware
International police have taken down AVCheck, a website used by cybercriminals to check whether their malware could evade antivirus software. The service allowed users to upload malicious files and test them against major antivirus engines without alerting security companies, and helping attackers refine their code until it went undetected.
The takedown was part of a wider global operation targeting cybercrime infrastructure, which also dismantled related sites offering “crypting” services used to obfuscate malware. Investigators found links between AVCheck and ransomware groups, confirming that the site played a key role in the early stages of many cyberattacks. Authorities replaced AVCheck’s homepage with a warning message and emphasised that criminals using such services would be identified and prosecuted. While this marks a significant blow to cybercrime operations, experts warn that similar platforms may still be operating in the background.
Read more about this here.
Data breach targeting taxpayer accounts costs HMRC £47 million
Around 100,000 UK taxpayers were targeted in a sophisticated organised crime phishing campaign that exploited personal data obtained outside HMRC’s systems. Attackers used stolen identity details to create or hijack PAYE accounts—fraudulently claiming £47 million in tax repayments. Thankfully, HMRC asserts no individual personally lost funds, having locked the compromised accounts, removed malicious data, and secured logins.
The incident, revealed in June 2025, prompted the lockdown of affected accounts and led to arrests both in the UK and abroad. HMRC emphasised it was not a system hack, but a deception-based attack targeting individuals. Additional preventative steps include a review of cybersecurity measures and improved communication protocols.
This episode coincided with criticism from MPs over HMRC’s delayed public disclosure and its handling of notification to affected parties, raising questions about transparency and oversight.
Read more about this here.
M&S resumes online orders six weeks after cyber attack
M&S has restored its online ordering services, first to customers in England, Scotland, and Wales, with Northern Ireland and click‑and‑collect expected to follow. The move comes after a severe cyber attack in late April by ransomware group DragonForce, which forced M&S to suspend online orders for six weeks.
Customer data, including contact details and order history, was compromised during the attack, although no payment information or passwords were affected. While this has dealt a blow to profits (estimated at around £300 million in losses) M&S is now regaining ground. Their shares edged up 3.7% upon announcement of service resumption.
Read more about this here.
High Court dismisses claim of unfair data processing regarding “sex pest” headline
A High Court dismissed a data protection claim by former Labour donor Dale Vince against a national newspaper. The paper had published a headline referring to a “sex pest donor” alongside Mr Vince’s photograph. In court, the judge ruled that readers are expected to read the full article, and since the text clarified that the allegation didn’t refer to him, there was no unfair or misleading use of his image or name.
Legal experts welcomed the decision, noting its importance in an era of quick headline consumption. They emphasised that even if readers skim headlines, the content itself provided necessary context, making the claim an abuse of process. While Mr Vince’s case was dismissed, judges reiterated explicitly that he had no connection to the “sex pest” claim, reaffirming his stance and correcting public perception.
Read more about this here.
WhatsApp backs Apple in legal battle against UK regarding customer data
WhatsApp has formally stated its support for Apple in a legal dispute against the UK government concerning access to encrypted user data. The messaging service argues that any attempt to compel tech firms to weaken end-to-end encryption could set a dangerous precedent, “emboldening other governments” to demand backdoors into private communications.
Will Cathcart, WhatsApp’s CEO, emphasised that strong encryption is vital to user privacy and safety, particularly against authoritarian regimes. The company asserts it would resist any law or government request aimed at undermining these protections.
Read more about this here.
Woman falsely accused of shoplifting due to facial recognition error
A woman was wrongly accused of shoplifting after a supermarket’s facial-recognition system misidentified her as a suspected thief. The system flagged her while she was merely purchasing around £10 of toilet rolls, prompting staff to stop and eject her from the store before realising the mistake.
She described herself as “fuming” and struggled to learn what had happened, only discovering that the error was linked to a facial-recognition alert. Advocacy groups and experts have criticised the technology’s use, particularly highlighting its high rate of false positives and lack of clear oversight. There’s growing unease over private-sector surveillance and biometrics being deployed without sufficient regulation, especially when innocent individuals face public embarrassment and reputational harm.
Read more about this here.
Patients filming their own medical procedures are putting themselves and staff at risk
Staff across the NHS, particularly radiographers, have raised serious concerns about patients filming their treatment (such as cancer procedures or cannula insertions) for social media. They warn this practice can:
- Breach the privacy of nearby patients by capturing sensitive information like names and dates of birth
- Cause anxiety among staff, whose badges and faces may appear in videos
- Distract healthcare professionals, potentially impacting the quality of care
A union representative shared an incident where a colleague was so unsettled by being recorded during a procedure that they couldn’t sleep all weekend. NHS officials are calling for clear, trust-wide policies requiring patients to seek permission before filming and ensuring any recordings remain solely for personal use, saving them from exposure or misuse.
Read more about this here.
ICO fines 23AndMe millions over 2023 data breach
In December 2023, hackers exploited weak security on the 23andMe platform (using a credential‑stuffing attack) to access personal and genetic data belonging to over 155,000 UK users and nearly 7 million worldwide. Stolen information included names, postcodes, family trees, health reports and ethnicity details.
A joint investigation by the UK’s Information Commissioner’s Office (ICO) and Canada’s privacy regulator concluded that 23andMe failed to implement basic protections such as multi‑factor authentication, robust password policies and effective threat monitoring. The ICO described the breach as “profoundly damaging”, noting the company was slow to respond and only fully investigated after stolen data appeared on Reddit. As a result, 23andMe has been fined £2.31 million. The firm has since introduced stronger security measures, and is being acquired by a non‑profit led by its co‑founder.
Read more about this here.
Co-op offers members £10 off a shop over £40 following cyber attack
Following a recent data breach where hackers accessed personal data, including names, addresses and membership numbers, the Co‑op offered its members a one‑off £10 discount on a minimum £40 shop, which was valid until 24 June.
This gesture followed criticism from cybersecurity experts, who argued that while the offer was appreciated, it may not have adequately reflected the value of the compromised data. One noted that members “need a digital equivalent of the FCSC for data breaches” and questioned whether a single discount truly addresses the harm caused.
Read more about this here.
Trump to once again extend deadline for TikTok sale or ban
President Donald Trump has issued a third 90-day extension (until 17 September 2025) granting TikTok additional time to secure a US-based buyer in order to comply with national security legislation targeting foreign-controlled apps. The move follows the Supreme Court’s affirmation of an earlier ban, which requires ByteDance to divest TikTok’s American operations.
TikTok expressed gratitude for the extension, emphasising ongoing negotiations with government officials. However, critics in Congress argue the repeated delays bypass legal safeguards and ignore national security warnings. Past acquisition attempts stalled amid broader US–China tensions, and although firms like Oracle, Blackstone and Amazon expressed interest, no deal has been finalised.
Read more about this here.
Oslo maritime cybersecurity team monitoring threats to ships’ systems
The Nordic Maritime Cyber Resilience Centre (Norma Cyber), based in Oslo, is working to protect European waters from a growing range of maritime threats. These include hackers remotely tampering with ship systems, covert surveillance by disguised vessels, and unregulated “shadow fleet” tankers evading sanctions.
In 2024, at least 239 cyber incidents targeted maritime assets, many linked to state-backed actors from Russia, Iran, and China. Ships’ critical systems, such as navigation and communications, are increasingly vulnerable, with attackers using AI to exploit onboard tech.
Authorities are also tracking spy ships operating under civilian guises, while hundreds of ageing tankers pose environmental and security risks, particularly near vital infrastructure. Norma Cyber is collaborating with coastguards and insurers, and urging a return to traditional seamanship like manual navigation amid GPS interference.
Read more about this here.
The Guardian shares advice for recovering from sim-swap scams
The Guardian has published guidance for mobile users concerned about SIM-swap scams, a growing threat where criminals hijack your phone number by transferring it to a new SIM card without your consent.
The advice outlines how to recognise the signs, such as a sudden loss of mobile service or unexpected account activity, and stresses the importance of acting quickly. Victims are urged to contact their mobile provider immediately, secure bank accounts, and notify contacts. The piece also highlights preventative steps, including setting up strong passwords, enabling additional verification methods, and avoiding predictable security question answers. The Guardian warns that this type of fraud can be used to access bank accounts, messaging apps and other services tied to your phone number, making vigilance and preparation essential.
Read more about this here.
Over 16 billion accounts leaked in “one of the largest data breaches ever seen”
Security researchers have uncovered what appears to be one of the largest data troves in history: around 16 billion login credentials, drawn from 30 separate data sets. This includes usernames, passwords, and in some cases, session tokens or cookies, covering a vast range of services from major platforms like Apple, Google, Facebook and Telegram, to VPNs, developer tools, corporate portals, and even governmental systems.
While the haul largely stems from various malware and credential-stuffing schemes rather than a single hack, the recency and sheer size of the collection make it a “blueprint for mass exploitation.” Such data puts users at risk of account takeovers, identity theft, phishing, and other cyber-criminal activities.
Read more about this here.
Oxford City Council says 21 years of election worker data exposed after cyber attack
Oxford City Council recently suffered a cybersecurity breach over the weekend of 7–8 June, prompting an immediate shutdown of key systems as security teams worked to eject unauthorised access and assess the damage. While most digital services have now been restored, essential operations experienced disruption during the investigation.
The incident affected legacy systems housing data on current and former Council and elections officers from 2001 to 2022, raising concerns that personal details, even from those involved in polling and ballot-counting, may have been accessed. The Council confirms there’s no evidence that public citizens’ data was compromised or that any mass export of information occurred.
Affected individuals have been contacted directly and offered support. The Council has also reported the breach to relevant authorities and is conducting a thorough investigation while implementing strengthened cybersecurity measures to prevent future incidents.
Read more about this here.
GET IN TOUCH WITH US!
If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out a contact form. Our dedicated team will get back to you as soon as possible.
