According to TheRegister.com, UK businesses are facing devastating fines from the Information Commissioner’s Office for basic password security failures under UK GDPR Article 32. Capita plc was just hit with a £14 million penalty for unsecured AWS buckets and extractable passwords, while Advanced Computer Software received a £3.07 million fine for incomplete MFA coverage that enabled a LockBit ransomware attack. 23andMe paid £2.31 million after credential stuffing attacks compromised 6.9 million user profiles, and even small firms like DPP Law Ltd faced a £60,000 penalty for admin accounts lacking MFA protection. The statutory maximum penalty is 4% of worldwide annual revenue, meaning a mid-sized UK business with £10 million turnover could face a £400,000 fine. Recent enforcement actions show the ICO is holding companies of all sizes accountable for what they consider fundamental security failures.
Sponsored content — provided for informational and promotional purposes.
The ICO means business
Here’s the thing: the ICO isn’t messing around anymore. They’re hitting companies where it hurts – their bottom line – for security practices that were once considered “normal” in many organizations. The pattern across all these cases is brutally consistent: basic authentication failures leading to massive breaches. Capita had unsecured AWS buckets and passwords stored in plain text. Advanced had MFA almost everywhere except one customer account. 23andMe failed to protect against credential stuffing. These aren’t sophisticated zero-day exploits – they’re fundamental security hygiene failures.
And the scary part? The ICO’s John Edwards was crystal clear about expectations: “I urge all organisations to ensure that every external connection is secured with MFA today… there is no excuse for leaving any part of your system vulnerable.” That’s not a suggestion – it’s a regulatory requirement with teeth.
The human problem with technical solutions
So why do these basic failures keep happening? The government’s own Cyber Security Breaches Survey 2025 shows the scale of the problem: 43% of businesses suffered a breach in the last year, rising to 74% for large organizations. Yet only 23% have a formal incident response plan, and a pathetic 19% provide staff training on cyber security.
Basically, we’re asking humans to do what humans are terrible at: remembering dozens of complex, unique passwords. The NCSC’s guidance to use “three random words” makes sense technically, but try remembering 47 different combinations like “CoffeeTrainFish” across all your work systems. It’s cognitively impossible. So people write them down, reuse them, or share them via WhatsApp – exactly the behaviors that got these companies fined.
Why enterprise password managers fail
Now you might think the solution is simple: just deploy an enterprise password manager. But here’s the dirty secret most vendors won’t tell you: most enterprise password managers are awful to actually use. They require three-day training sessions, have interfaces designed by engineers who’ve never watched a normal human try to log in under pressure, and come with support teams that take days to respond.
So what happens? IT departments deploy them, users hate them, and within six months everyone’s back to saving passwords in Chrome and sharing credentials via WhatsApp. The problem isn’t that organizations lack password management tools – it’s that nobody uses them. And security that people actively avoid using isn’t security at all.
The new compliance reality
Look, the regulatory landscape has fundamentally changed. The ICO has made it clear that “appropriate security measures” under UK GDPR now includes comprehensive credential management with MFA on every external connection. This isn’t optional anymore – it’s the minimum standard, and the fines prove it.
The question every business leader needs to ask themselves is simple: can your organization absorb a multi-million pound fine and the reputational damage that comes with it? Because after seeing what happened to Capita, Advanced, and 23andMe, the writing is on the wall. Strongly-worded emails about password hygiene won’t cut it anymore. You need systems that make secure behavior the default, not the exception.
