Summary
The UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31 million for a 2023 data breach that exposed sensitive genetic information of over 150,000 UK residents. The ICO criticized 23andMe’s inadequate security measures, slow response, and failure to prevent unauthorized access to genetic data. This fine follows a joint investigation with Canada’s privacy watchdog and highlights the importance of robust data protection practices.
** Main Story**
Genetic Data Exposed: 23andMe Faces £2.31 Million Fine
The UK’s Information Commissioner’s Office (ICO) has imposed a £2.31 million fine on 23andMe, the genetic testing company, for a significant data breach that occurred in 2023. This breach compromised the sensitive personal information of over 150,000 UK residents, including genetic data, health reports, and family histories. The ICO’s investigation, conducted jointly with the Office of the Privacy Commissioner of Canada, uncovered serious security failings that allowed hackers to access this sensitive information.
Inadequate Security Measures at Fault
The ICO’s investigation revealed that 23andMe’s security systems were inadequate to protect user data. Specifically, they lacked multi-factor authentication, had weak password requirements, and didn’t have adequate monitoring systems to detect unusual activity. These shortcomings made the company vulnerable to a credential-stuffing attack, where hackers used stolen login credentials from other data breaches to gain unauthorized access to 23andMe accounts.
Profoundly Damaging Breach
John Edwards, the UK Information Commissioner, described the breach as “profoundly damaging,” emphasizing the sensitive nature of the exposed information. Unlike passwords or credit card numbers, genetic information is immutable and deeply personal, carrying significant implications for individuals and their families. The breach exposed information such as family histories, health conditions, and even ethnic origins, causing considerable distress and anxiety among those affected.
Slow Response and Missed Opportunities
The ICO also criticized 23andMe’s slow response to the breach, noting that the company missed several opportunities to act before the stolen data appeared for sale online. The credential-stuffing attacks began in April 2023, but 23andMe didn’t publicly acknowledge the breach until October of that year. This delay exacerbated the harm caused by the breach and further exposed users’ sensitive data.
Financial Troubles and Legal Battles
This fine comes at a difficult time for 23andMe, which filed for Chapter 11 bankruptcy in late March 2025 and plans to sell its assets. The company has also faced multiple class-action lawsuits related to the 2023 data breach. In September 2024, 23andMe agreed to a $30 million settlement in a US lawsuit related to the breach, which affected 6.4 million customers worldwide. These financial and legal challenges underscore the significant consequences of data breaches, particularly those involving sensitive personal information.
A Call for Stronger Data Protection
This case serves as a stark reminder of the importance of robust data protection practices, especially for companies handling sensitive personal information. The ICO’s fine sends a clear message that organizations must take proactive steps to protect user data, including implementing strong security measures, monitoring for threats, and responding quickly to incidents. The increasing severity and complexity of cyberattacks demand a heightened focus on data protection to prevent harm and safeguard individuals’ privacy. As of today, June 21, 2025, this information is current and may change with future developments.
The ICO’s emphasis on immutable genetic data highlights the long-term implications of breaches compared to those involving financial data. This raises questions about the ethics of companies holding such sensitive information and the potential need for even stricter regulations around genetic data security and access.