Share
On 25 July 2025, a spokesperson for the US-based app, Tea Dating Advice (the Tea app), confirmed that it had spilled more than relationship tips, following a major data breach. The very same day, the UK began rolling new age verification measures to comply with the Online Safety Act 2023. In this article, we unpack what the Tea app breach might signal for the UK’s own push towards mandatory ID checks.
The App
The Tea app allows women to upload and comment on photos of potential partners, as well as check public records, and perform image searches ahead of prospective dates. The app’s marketing emphasises its use as a tool for women’s dating safety.
As part of the account verification process, users were required to upload a selfie and a copy of their ID (although the app maintains that the ID requirement was removed in 2023). The app’s privacy policy stated that data would be securely processed and temporarily stored, then deleted following the completion of the verification process.
Towards the end of July 2025, the app surged to the number 1 spot in the US Apple store.
The Online Safety Act
Just as the Tea app was reaching its peak popularity, people in the UK were finding that the online landscape was about to shift dramatically. On 25 July 2025, users accessing a variety of virtual platforms were greeted with unfamiliar age verification checks.
Instead of the usual tick box exercises, platforms now only granted access through facial age estimation or ID verification.
The sudden change was a result of the implementation of the Online Safety Act 2023. Beginning as the Government’s Online Harms White Paper, the initial draft Online Safety Bill was published in May 2021, sparking years of parliamentary scrutiny. The bill ultimately received Royal Assent on 26 October 2023, officially becoming the “Online Safety Act”.
The Act places legal responsibilities on online platforms to prevent minors from accessing adult content. Verification can be conducted through users uploading selfies to age verification providers such as Yoti, or through uploading copies of identification documents.
The Breach
On the same day as new ID measures were being implemented across the UK, a US spokesperson for the Tea app confirmed that an estimated 72,000 images (comprising verification selfies, uploaded ID photos, as well app screenshots) were accessed by unauthorised parties and posted on the anonymous imageboard website, 4chan.
The app's publishers claimed that the breach only contained data from users who signed up before February 2024. Media outlets immediately began discussing the possibility of the leaked data being used for fraudulent means.
A second breach was then reported on 28 July 2025, with an estimated 1.1 million private messages being leaked. The messages contained further personal data such as user locations and phone numbers. Multiple lawsuits have since commenced against the app’s publishers.
The Lessons
The Tea app breach is a stark reminder that when platforms collect sensitive personal data - especially identity documents or biometric information – the breach stakes skyrocket. For UK organisations just getting to grips with the new landscape of ID verification, this is more than a cautionary tale, it is a blueprint for risk.
The kicker is that outsourcing these requirements to third parties who specialise in ID verification does not absolve a company of responsibility. ID verification providers will likely be held to be data processors under the GDPR, so if the worst happens, it will still be the company using their services that will need to deal with the fall out.
This is likely to manifest as regulatory and individual notifications, as well as reputational harm.
Cybercriminals could leverage these wide-ranging impacts to try to bring an organisation to the negotiating table through ransom demands in exchange for deletion of data. That might be a compelling prospect for some organisations whose operations and reputation demand discretion, though the Government is also looking to curtail ransom payments.
The risk of claims here is also increased exponentially through the potential to expose an individual’s identity linked directly with their online activity. As a result, any breach is likely to generate significantly higher volumes of claims deriving from embarrassment, distress and/or reputational damage.
The Home Office Cyber security breaches survey for 2025 notes that, as of June, 43% of UK businesses have experienced a cyber security breach in the last 12 months. Therefore, companies should be revisiting their compliance and incident response planning to cater for any new types of data being handled. Key aspects of this will include considering options for data minimisation, retention periods and vendor due diligence, as well as ensuring that robust plans are in place should a breach occur.
While the new legislation was implemented for the explicit purpose of protecting children from adult content, it also brings with it an unintended consequence: platforms complying with the rules could become prime targets for cybercriminals. Verified identity data is a high-value prize – linking real identities to online activity – and if compromised it could have implications far beyond the law’s well-intentioned aims.
United Kingdom