Partner Content UK GDPR Article 32 mandates “appropriate security measures”. The ICO has defined what that means: multi-million-pound fines for password failures. The violations that trigger them? Small, familiar, and happening in your organization right now.
Your sysadmin shares SSH keys via WhatsApp in “defnotsshkeys.txt”. Your HR manager stores employee ID scans in Gmail. Your intern has admin access because it was easier than configuring permissions. And your former contractor from 2017 still receives reports with client data because his email was never removed from the distribution list.
These scenarios range from the simplest to more complex, like misconfigured cloud storage with cascading access rights across departments. But they share a common outcome: this is exactly how cybersecurity breaches happen.
And when they do, ICO responds with fines that can cripple businesses. Capita plc just learned this expensive lesson — unsecured AWS buckets and extractable passwords cost them £14 million.
The pattern continues across industries: Advanced Computer Software received a £3.07 million fine for incomplete MFA coverage. 23andMe paid £2.31 million after credential stuffing attacks exploited password reuse. Even small firms like DPP Law Ltd faced a £60,000 penalty when a brute-force attack breached an admin account that lacked MFA protection.
The statutory maximum? Four percent of worldwide annual revenue. For a mid-sized UK business with £10 million turnover, that’s a potential £400,000 fine. For larger operations, the exposure scales into millions.
UK GDPR: real fines for real businesses
Recent ICO enforcement actions under UK GDPR and the Data Protection Act 2018 show a pattern: password failures cost UK businesses millions. Poor credential management, missing MFA, delayed breach notifications — the same fundamental errors appear across companies of vastly different scales, and the ICO is holding all of them accountable.
From FTSE 100 outsourcing giants to small law firms, the penalties tell the same story:
Capita plc (£14 million)
The outsourcing behemoth’s breach in March 2023 exposed the cascading failure mode of poor password security at scale. Attackers exploited an unsecured AWS S3 bucket to gain initial access, then used privilege escalation to move laterally across systems.
They extracted unencrypted passwords directly from server memory. The ICO’s message was clear: if you’re handling data at this scale, there’s no excuse for basic authentication failures.
Advanced computer software (£3.07 million)
Advanced had implemented multi-factor authentication across much of its infrastructure. But much isn’t all. Attackers found a single customer account without MFA protection and used it as an entry point for a LockBit ransomware attack that disrupted NHS services.
£3 million fine. The ICO’s John Edwards was blunt: “I urge all organisations to ensure that every external connection is secured with MFA today… there is no excuse for leaving any part of your system vulnerable.”
23andme (£2.31 million)
Threat actors launched a credential stuffing attack, using passwords leaked from other breaches to access 23andMe accounts. They compromised 6.9 million user profiles. The ICO’s verdict? “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
Interserve group (£4.4 million)
Interserve, a major support services and construction firm, suffered a phishing attack that compromised employee credentials. Once inside, attackers accessed systems containing personal data for thousands of employees and service users.
The breach revealed a critical vulnerability: without centralized credential management, a single compromised password can provide attackers with unrestricted access to the entire infrastructure.
DPP law ltd (£60,000)
Don’t assume the ICO only goes after big targets. This small law firm learned that lesson when a brute-force attack compromised an administrator account that had no MFA protection. The attackers accessed sensitive legal client data.
The fine was proportionate to their size, but the reputational damage and legal implications were devastating. The message? UK GDPR applies equally to a five-person law firm and a major corporate player.
Do you know where your company passwords are right now?
Credentials are scattered across business infrastructure in ways that would horrify any IT-security officer:
- Email and spreadsheets: Password resets, API keys, and shared logins sitting in Gmail. Master Excel sheets with team credentials, accessible to anyone with the link, protected by passwords set years ago and never changed.
- Cloud storage: Text files with server passwords shared with anyone with the link. Folders containing SSH keys accessible to entire departments when only two people need them.
- Code repositories: Hardcoded passwords in source code. API keys committed to public repositories. Database connection strings in configuration files.
- Chat tools: Slack, Microsoft Teams, WhatsApp. Database passwords pasted into direct messages. Root access details in a pinned channel message from 2022.
- Browser-saved passwords: Convenient for users, catastrophic for security. Protected only by the user’s device login. Often a weak password or no password at all.
- Mobile devices: Screenshots of password reset screens saved to camera rolls. Notes app filled with login credentials synced to personal iCloud accounts.
- Ticketing systems: Support tickets with passwords included in plaintext. Closed tickets from 2020 still searchable, still containing valid credentials.
Only 23% of UK businesses have a formal incident response plan. Most organizations have no systematic approach to credential management: no visibility into who has access to what, no process for generating strong passwords, no method for secure sharing, and no way to revoke access when employees leave.
Reminders don’t change password behavior. Human memory has limits. Human behavior follows patterns. You need a system that works with human nature, not against it.
UK cyber security statistics
The UK Government’s Cyber Security Breaches Survey 2025 shows the scale of the problem: 43% of businesses suffered a breach in the last year, rising to 74% for large organizations. Phishing attacks were identified by 85% of breached businesses.
Despite 73% of businesses having password policies, adoption of advanced controls remains dismal: just 31% use VPNs for remote access, 30% have user monitoring, and only 29% conduct cyber security risk assessments. A mere 19% provide staff training on cyber security.
Most organizations lack systematic credential management – no visibility into access, no secure sharing process, and inadequate offboarding procedures. Password policies exist on paper, but enforcement and monitoring remain the exception.
The NCSC’s guidance: three random words and MFA
The National Cyber Security Centre (NCSC) official guidance on password security has abandoned complexity theater for something that actually works: three random words. “CoffeeTrainFish” is both memorable and secure — far better than “P@ssw0rd123!” which appears in every breach database.
But strong passwords alone aren’t enough. The regulatory message is unambiguous: without MFA on every external connection, you’re violating Article 32 of UK GDPR and the Data Protection Act 2018, which mandate “appropriate technical and organisational measures.”
With the ICO wielding fines up to £17.5 million or 4% of global turnover, “appropriate” has suddenly become very well-defined.
The implementation gap: why UK GDPR compliance requires password managers
Enforcing strong, unique passwords across 50, 500, or 5,000 people without a centralized system? You can’t. Or rather, you can try, but you’ll fail in predictable ways. Users will write passwords in notebooks or simply reuse them, because remembering 47 different “three random words” combinations is cognitively impossible.
Your security policy will be perfect on paper and worthless in practice. This is where enterprise password management becomes non-negotiable under UK GDPR requirements. But here’s the problem the vendors don’t advertise: most enterprise password managers are awful to actually use.
They’re technically robust. They tick all the compliance boxes. But they require three-day training sessions, have interfaces designed by people who’ve never watched a normal human try to log into something under time pressure, and come with support teams that respond in 48-72 hours with links to documentation.
So IT departments deploy them, users hate them, and within six months everyone’s back to saving passwords in Chrome and sharing credentials via WhatsApp.
Enterprise password management: Passwork takes a different approach
The problem isn’t that organizations lack password management tools — it’s that nobody uses them. Complex deployment. Unintuitive interfaces. So people revert to old unsecure ways.
Effective credential management requires quick implementation and intuitive design for end users, supported by advanced capabilities for technical teams. IT, DevOps, and sysadmins need secret storage, API integration, and automation. Regular employees need something that works without a manual.
Passwork was designed around this balance. Its features address the specific failures from those ICO cases: role-based access controls prevent the lateral movement that burned Capita, policy enforcement ensures passwords meet NCSC standards, and comprehensive audit logs provide evidence of compliance when the ICO comes asking questions.
But the real differentiator is this: Passwork has a high adoption rate because users don’t hate it. That matters more than any technical specification, because security that people actively avoid using isn’t security at all.
Implementation speed matters. Interface simplicity matters. Features depth matters. Support quality matters. (Read The Register’s review to see how these factors play out in practice).
The bottom line
The ICO has made its position crystal clear: basic password security failures are no longer forgivable. The fines are real, they’re large, and they’re accelerating.
You can’t fix this with a strongly worded email about password hygiene. You can’t fix it by telling people to be more careful. The statistics show that individual users, left to their own devices, will reuse passwords and choose weak passwords.
What you can do is implement systems like Passwork that make secure behavior the default. Centralized password management, role-based access controls, and audit trails aren’t nice-to-haves anymore. They’re the minimum standard the regulator expects.
After Capita, Advanced, and 23andMe, you need to ask whether your business can absorb the financial and reputational damage of a preventable breach.
Contributed by Passwork.