23andMe’s £2.31 Million Fine

In June 2025, the UK’s Information Commissioner’s Office (ICO) imposed a £2.31 million fine on genetic testing company 23andMe for failing to protect the personal information of UK users. This penalty followed a joint investigation with Canada’s Office of the Privacy Commissioner into a 2023 cyberattack that exposed sensitive data of over 155,000 UK residents.

The Breach Unveiled

Between April and September 2023, hackers conducted a credential stuffing attack on 23andMe’s platform. They exploited reused login credentials from previous, unrelated data breaches to gain unauthorized access to user accounts. This attack compromised personal information, including names, birth years, locations, profile images, race, ethnicity, family trees, and health reports.

Security Lapses Identified

The ICO’s investigation revealed several security shortcomings in 23andMe’s platform. The company failed to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication and secure password protocols. Additionally, there were inadequate controls over access to raw genetic data, and the company lacked effective systems to monitor, detect, or respond to cyber threats targeting users’ sensitive information.

Protect your data without breaking the bankTrueNAS combines award-winning quality with cost efficiency.

Inadequate Response to the Breach

Despite early signs of unauthorized activity, 23andMe’s response was slow. The company did not initiate a full investigation until October 2023, after an employee discovered that stolen data was being advertised for sale on Reddit. This delay left users’ sensitive data vulnerable to exploitation and harm.

Impact on Consumers

The breach had a profound impact on affected individuals. Personal information, including sensitive data like race, ethnicity, and health reports, was exposed. One complainant expressed concern, stating, “You can’t change your genetic makeup when a data breach occurs.” Another user felt “disgusted” and “extremely anxious” about the exposure of their DNA data.

Regulatory Findings and Penalty

The ICO concluded that 23andMe violated UK data protection laws by failing to implement appropriate security measures. The company was fined £2.31 million for these infringements. UK Information Commissioner John Edwards commented, “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

Industry Implications

This case serves as a stark reminder of the importance of robust data protection measures, especially for companies handling sensitive personal information. Organizations must prioritize cybersecurity to prevent similar breaches and protect user trust.

References

• ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data. Information Commissioner’s Office. June 17, 2025. (ico.org.uk)

• ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data. ICO Newsroom. June 17, 2025. (ico-newsroom.prgloo.com)

• ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data. Scottish Legal News. June 18, 2025. (scottishlegal.com)

• ICO fines 23andMe £2.3m for data security failings. UKGI – Aviva. June 20, 2025. (abc.ukgigroup.com)

• DNA testing firm, 23andme, fined £2.31m by the ICO for data breach. Trowers & Hamlins law firm. July 2025. (trowers.com)

• Regulatory Wake Up Call: Information Commissioner Fines 23andMe £2.31m For Failing To Protect Genetic Data. Security – United Kingdom. July 1, 2025. (mondaq.com)

• ICO fines 23andMe £2.31 million over ‘profoundly damaging’ data breach. Computing. June 2025. (computing.co.uk)

• 23andMe. Wikipedia. October 2025. (en.wikipedia.org)

• Credential stuffing. Wikipedia. October 2025. (en.wikipedia.org)

• 23andMe data leak. Wikipedia. October 2025. (en.wikipedia.org)