UK regulators issued major penalties against online services for inadequate age assurance controls intended to protect children. The Information Commissioner’s Office (ICO) fined Reddit £14.47 million for unlawfully processing children’s data, alleging that despite a stated under-13 prohibition, Reddit did not introduce an age assurance mechanism until July 2025 and had not completed a required data protection impact assessment (DPIA) before January 2025. The ICO said these failures potentially exposed minors to inappropriate content and left under-13 users’ personal data collected and used without a lawful basis; Reddit said it intends to appeal.
Separately, communications regulator Ofcom fined porn operator 8579 LLC £1.35 million under the UK Online Safety Act for failing to deploy “highly effective” age checks (e.g., photo ID matching or credit card checks) to prevent minors from accessing adult content. Ofcom also imposed an additional £50,000 penalty for allegedly ignoring information requests and warned of an ongoing £1,000/day penalty until compliant age verification is implemented, amid broader concerns from civil liberties groups about the privacy and cybersecurity risks of stringent age-verification regimes.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Following the ICO penalty, Reddit said it plans to appeal and argued that the regulator's approach would force it to collect more private identity information from U.K. users. The company maintained that this would conflict with privacy and safety goals.
The U.K. Information Commissioner's Office fined Reddit £14.47 million, finding it unlawfully processed personal data of children under 13 and failed to implement effective age assurance. The ICO also said Reddit had not completed a required data protection impact assessment before January 2025.
Ofcom fined porn company 8579 LLC £1.35 million for not deploying required age verification on its adult sites, and added a further £50,000 for allegedly ignoring information requests. The regulator also warned of an ongoing £1,000-per-day penalty until an effective age-check system is in place.
The U.K. Information Commissioner's Office sent Reddit provisional findings alleging failures in age assurance and unlawful processing of under-13 users' data. The regulator said Reddit had not adequately protected children and had not completed a required DPIA before January 2025.
Reddit implemented age assurance controls in July 2025, including age prompts at account creation and third-party identity verification for users seeking mature content in the UK. The move came after the platform had previously relied largely on self-declared ages.
Ofcom required pornographic websites to implement "highly effective" age assurance measures, such as photo ID matching or credit card checks, under the U.K.'s Online Safety Act. This requirement was described as being in force from July 2025.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
helpnetsecurity.com
Open sourcearstechnica.com
Open sourcecybersecuritynews.com
Open sourcetherecord.media
Open sourceico.org.uk
Open sourcego.theregister.com
Open sourcetherecord.media
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.