ICO fines highlight failures in meeting public promises on data security and children's privacy

The question

What do recent enforcement decisions say about the Information Commissioners Office's (ICO) expectations of security and children's privacy, in particular around public data and privacy assurances?

The key takeaway

The ICO treats both security and children’s privacy as enforcement priorities, with “reasonable” security assessed holistically across endpoints. Regulators will actively test whether technical and organisational measures genuinely match the public assurances that organisations give on those points, and UK‑specific standards should be treated as hard compliance baselines for large tech platforms. Robust governance and early, constructive engagement and remediation after incidents are critical to managing enforcement risk and penalty exposure.

The background

The ICO has recently issued two notable penalties, demonstrating sharpened expectations on security and children’s privacy for organisations processing personal data.

LastPass UK Ltd

LastPas UK Ltd was fined £1.2m following two linked security incidents which together compromised the personal data of up to 1.6 million UK users.

A hacker first compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment. No personal data was taken at this stage, but the attacker obtained encrypted company credentials, which it used to target a senior employee with access to a decryption key and to exploit a known vulnerability on their personal device. Malware (specifically a keylogger) was installed, capturing the employee’s master password, and multi‑factor authentication was bypassed using a trusted device cookie.

The hacker then gained access to the employee's personal vault, which was linked to their professional one, and obtained the information needed to unlock LastPass's backup database. By combining information from both incidents, the hacker was able to access and extract the contents of that backup database, which contained customers' personal information (including customer names, email addresses, phone numbers and stored website URLs).The ICO found no evidence that customer passwords themselves were decrypted, due to LastPass’ “zero knowledge” system where master passwords are stored locally on users’ devices and not by LastPass.

MediaLab

MediaLab, owner of the online image hosting and sharing platform Imgur, was fined £247,590 for unlawfully processing children’s data, including failing to implement any effective age assurance or conduct a data protection impact assessment (DPIA), thereby exposing under‑13s to potentially harmful content between September 2021 and September 2025.

Despite terms stating that under 13s could only use the platform with parental supervision, Imgur failed to implement measures to check the ages of its users. The platform therefore processed, in direct breach of UK GDPR, the personal data of children under 13 without parental consent. Children were at risk of exposure to harmful content on the platform as a result.

Security as "duty of care"

In the case of LastPass, the ICO's focus on “two isolated incidents” leading to a major breach underlines that regulators will scrutinise how individual control failures can interact, not just each control in isolation. The ICO also criticised the lack of “sufficiently robust technical and security measures” to prevent compromise of backups in the second part of the incident. This penalty confirms that “reasonable” security under UK GDPR and the Data Protection Act 2018 is assessed holistically: device security, third party software vulnerabilities, MFA implementation, internal segregation of environments, and protection of backup infrastructure all matter.

The ICO also highlighted that services that “promise to help people improve their security” are under a heightened obligation not to “leave them vulnerable”. The regulator called on “all UK business” to urgently review systems and procedures, pointing to ICO and National Cyber Security Centre (NCSC) guidance on device security, working from home policies and data security.

Children’s data as a strategic enforcement priority

The ICO declared that this decision forms part of a “wider intervention” in line with its Age-Appropriate Design Code (the Children's Code), which requires platforms likely to be accessed by under 18s to put children’s best interests at the forefront and provide “a high level of privacy by default”. This signals that the enforcement is not isolated, but part of a broader regulatory push around children’s privacy online.

The regulator considered three main factors to reach its decision: the number of children affected, potential harm and nature of risks, and duration. MediaLab’s acceptance of the ICO’s provisional findings and its commitment to remediate the infringements acted as mitigation and contributed to the level of fine issued.

To ensure compliance, the ICO expects MediaLab (and similar platforms) to:

• implement effective age assurance that is proportionate to the risks on the platform
• obtain valid parental consent where under‑13s’ data is processed on the basis of consent
• conduct DPIAs to identify and mitigate privacy risks to children
• design services in line with the Children’s Code.

Why is this important?

In both cases, public‑facing assurances were undermined by design and implementation failures. The ICO’s language suggests increased willingness to test whether technical and organisational measures genuinely reflect what is promised to users. It is likely that data breaches of sufficient seriousness will result in thorough investigations and significant monetary fines.

For large tech platforms, this reinforces the need to treat UK‑specific regulatory expectations (eg Children’s code, ICO security guidance) as hard compliance baselines, not soft best practice.

Any practical tips?

As the ICO's enforcement drive continues, businesses should ensure that technical measures genuinely match what is promised to users, treating security and privacy as core design obligations. Taking a holistic, risk-based approach is key to assess how multiple weaknesses can interact and match the strength of control to the level and nature of the risk.

Implementing robust governance and accountability are paramount to effectively address breach risks, access control, device security and high-risk user groups. Carrying out and updating DPIAs is not just a compliance formality but should drive concrete mitigation steps for high-risk processing.

Finally, early engagement in the event of a breach and ability to demonstrate credible remediation after an incident can benefit businesses. The ICO has shown in both decisions that acceptance of findings and concrete commitments to improve can influence enforcement outcomes.

Spring 2026