In 2025, regulators around the world continued to penalise organisations after major cybersecurity incidents. From ransomware attacks to failures in basic security controls like multi-factor authentication, 2025’s enforcement actions underline the cost of weak cyber defence, both financially and reputationally. We break down some of the most significant fines from 2025 and explain why they happened, and highlight how other businesses can avoid similar pitfalls.
One of the year’s most significant penalties involved Capita plc and Capita Pension Solutions Limited, which together were fined £14 million by the UK Information Commissioner’s Office (ICO).
The fine stemmed from a ransomware attack on Capita’s systems, which led to the exposure of personal data for more than 6.6 million people.
Regulators found that Capita had failed to implement appropriate technical and organisational measures to protect this data, breaching core provisions of the UK GDPR.
This penalty serves as a stark warning: even large enterprises with existing cyber controls can face severe consequences if those controls are insufficient or poorly tested.
In April 2025, the ICO imposed a £60,000 fine on DPP Law Ltd, a UK law firm, after a ransomware attack exposed sensitive client data.
Hackers accessed an administrator account that lacked multi-factor authentication (MFA), enabling them to take 32 GB of confidential data.
DPP’s delayed breach reporting (43 days after discovery) and outdated security measures contributed to regulatory action.
Fines for small and medium enterprises (SMEs) may be lower, but the regulatory message is clear: basic protections like MFA and timely breach notification are essential.
Across Europe, regulators continued enforcing GDPR provisions tied to cybersecurity and data protection.
The Irish data protection authority issued a €530 million fine to TikTok for improper data transfers and inadequate protection measures, ranking among the largest GDPR fines of 2025.
Meta was hit with a €1.2 billion fine in early 2025 for unlawful data transfers (personal data moved outside the EU without adequate safeguards). This became one of the largest GDPR fines to date.
Luxembourg’s data protection authority fined Amazon around €746 million for targeted advertising practices that lacked valid user consent — another major GDPR enforcement action in 2025.
Marina Salud (healthcare provider) – fined around €500,000 for sharing sensitive health data without valid contracts.
Vodafone entities received various fines, including €200,000 and a €45 million penalty in different jurisdictions for breaches tied to authentication and data protection oversight.
Regulators outside Europe are also cracking down on poor cybersecurity.
In August 2025, South Korea’s Personal Information Protection Commission fined SK Telecom approximately ₩134.8 billion (~US$96.9 m) after a major data breach exposed user data.
This demonstrates that cybersecurity enforcement is a global priority, not limited to GDPR jurisdictions.
To reduce the risk of regulatory fines, organisations should:
Implement multi-factor authentication (MFA) across all systems.
Conduct regular penetration testing and vulnerability assessments.
Encrypt sensitive data at rest and in transit.
Deploy structured incident response and breach reporting procedures.
Ensure ongoing compliance with GDPR and local data protection rules.
Proactive security isn’t just good practice; it’s increasingly a legal obligation.
2025’s fines highlight a clear trend: regulators are willing and able to impose heavy penalties on organisations that fail to protect personal data and respond effectively to cybersecurity incidents. From UK SMEs to global tech giants, no organisation is immune.
By learning from these cases and strengthening cybersecurity and data compliance frameworks today, businesses can significantly reduce both financial and reputational risk tomorrow.