On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited (collectively “Capita”) £14 million (~$18.8 million) for failing to implement adequate security measures to protect the personal data of over ~6.6 million individuals following a ransomware attack by Black Basta. The ICO’s penalty notice is available here. […]
Enforcement Action
Inside the SK Telecom Data Breach: What Happened and What Companies Can Learn
In April 2025, SK Telecom—South Korea’s largest mobile carrier—formally notified regulators of a significant data breach that compromised sensitive SIM card data belonging to nearly 27 million users. Following an investigation, the Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) concluded in July 2025 that SK Telecom was negligent in […]
CFPB Brings First Enforcement Action on Data Security
On March 2, the federal Consumer Financial Protection Bureau (CFPB) for the first time brought an enforcement action related to data security. The CFPB consent order imposes a $100,000 fine and five years of regulatory oversight for online payments provider Dwolla. The action sends a clear message that the CFPB intends to actively regulate the […]