What happened, who was affected, and what we can learn…
June saw three notable breaches affecting people in the UK; two targeting customer data at well-known brands, and one involving a major DNA testing company and a very public fine.
Here’s a full breakdown of each case, including key details, regulatory action, and professional insight:
23andMe
Date Reported: 17th June, 2025
No. of UK Individuals Affected: 155,592
Data Exposed or at Risk: Genetic information, health data, ancestry reports, family tree connections.
ICO Response: £2.31 million monetary penalty issued for serious UK GDPR failings (Articles 5(1)(f) and 32(1)).
Summary: From April to September 2023, attackers launched a credential-stuffing attack using previously stolen login credentials. Once they gained access to user accounts, they harvested deeply personal and immutable data.
Commentary: This wasn’t a sophisticated attack; it was basic credential stuffing. The real issue is 23andMe’s lack of mandatory MFA and slow response. When you hold sensitive, unchangeable data like someone’s DNA, you have a duty to do better. The fine reflects that, and rightfully so.
Cartier
Date Reported: 3rd June, 2025 (incident disclosed early June).
No. of UK Individuals Affected: Undisclosed (estimated several thousand).
Data Exposed or at Risk: Customer names, email addresses, and country of residence.
ICO Response: ICO informed; investigation ongoing.
Summary: Cartier discovered unauthorised access to its customer records. While no payment data or passwords were compromised, personally identifiable information (PII) was accessed. The company responded swiftly and notified customers and regulators.
Commentary: Cartier’s response was measured and prompt, which is encouraging. But as a luxury retailer, its customer database is a tempting target. These kinds of incidents often precede phishing campaigns; so customers should stay alert.
The North Face
Date Reported: 3rd June 2025 (attack occurred in April).
No. of UK Individuals Affected: Undisclosed (estimated 10,000+).
Data Exposed or at Risk: Contact information, purchase history, account details (no financial or password data leaked directly).
ICO Response: ICO notified; no enforcement action announced.
Summary: Like 23andMe, The North Face was targeted via credential-stuffing; attackers used reused passwords to access customer accounts. The company reset credentials and contacted those affected.
Commentary: Another example of why password reuse is such a persistent threat. The platform didn’t appear to have strong safeguards against multiple failed logins or reused credentials. MFA and smarter access controls should be standard at this point.
Insights for UK Businesses
- Credential-stuffing remains one of the most successful attack methods; especially when MFA isn’t enforced and systems lack behavioural detection.
- Luxury and retail brands are high-value targets, even if they don’t hold financial data. Simple PII can be weaponised for fraud and phishing.
- Regulators are becoming more assertive, particularly where health or sensitive personal data is involved.
Legislative Context
The Data (Use and Access) Act 2025 came into force mid-June. While these cases predate its enforcement, we expect it to affect breach reporting standards and regulatory responses in future incidents.
Conclusion
This month serves as a reminder that even basic attacks can have major consequences when companies fail to implement well-known security measures. 23andMe’s fine sends a message: sensitive data needs more than lip service; especially when the stakes are biological.
Disclaimer
This report is based on public disclosures, media reports, and ICO updates available at the time of writing. Figures for affected individuals may be estimated where not officially disclosed. This post is intended for informational purposes only and does not constitute legal advice.
