In June 2025, the UK’s Information Commissioner’s Office (ICO) imposed a £2.31 million fine on 23andMe, a prominent genetic testing company, for failing to safeguard the personal data of UK users. This penalty followed a significant data breach that occurred between April and September 2023, during which hackers exploited reused login credentials from previous unrelated data breaches to access sensitive information. The breach affected 155,592 UK residents, exposing personal details such as names, birth years, self-reported locations, profile images, race, ethnicity, family trees, and health reports. The severity of the breach was compounded by the nature of the data involved, as genetic information is classified as “special category data” under UK data protection laws, necessitating enhanced security measures. The ICO’s investigation, conducted in collaboration with Canada’s Office of the Privacy Commissioner, revealed several critical security shortcomings at 23andMe. Notably, the company lacked robust authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, and unpredictable usernames. Additionally, 23andMe failed to implement appropriate controls over access to raw genetic data and lacked effective systems to monitor, detect, or respond to cyber threats targeting sensitive customer information. The company’s response to the breach was also found to be inadequate. Despite receiving multiple warnings of potential unauthorized activity between July and September 2023, including a login spike in July and direct contact from third parties regarding personal data being sold online, 23andMe dismissed these as isolated incidents. It was only in October 2023, after an employee discovered that the stolen data was being advertised for sale on Reddit, that the company initiated a full internal investigation. This delay in response was criticized by the ICO, which emphasized the importance of timely and effective action in such incidents. The ICO’s findings highlighted that 23andMe’s security systems were inadequate, the warning signs were present, and the company’s slow response left individuals’ most sensitive data vulnerable to exploitation and harm. This case serves as a stark reminder of the critical importance of implementing robust data security measures, especially for companies handling sensitive personal information. The breach not only compromised the privacy of thousands of individuals but also underscored the need for organizations to prioritize data protection and respond promptly to potential security threats. In response to the breach, 23andMe implemented measures to block similar incidents, including enabling two-factor authentication by default and requiring customers to reset passwords. However, these actions were taken after the breach had occurred and were considered insufficient to mitigate the ICO’s findings. The fine imposed by the ICO reflects the severity of the breach and the company’s failure to adhere to data protection laws. This incident serves as a cautionary tale for other organizations handling sensitive personal data, emphasizing the necessity of proactive and comprehensive data security strategies to protect against increasingly sophisticated cyber threats.
Protect your data without breaking the bankTrueNAS combines award-winning quality with cost efficiency.
The ICO’s emphasis on timely action after detecting potential unauthorized activity is crucial. Could advancements in real-time threat detection, powered by machine learning, have potentially mitigated the impact by identifying and responding to the login spike earlier?
That’s a great point! Absolutely, machine learning could have been a game-changer in spotting that login spike earlier. Imagine if the system flagged it immediately, triggering an alert and prompting an investigation. It really highlights the need for proactive, AI-driven security in handling sensitive data.
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The collaboration between the ICO and Canada’s Office of the Privacy Commissioner highlights the increasing importance of international cooperation in addressing data breaches that transcend national borders. How can organizations better prepare for and navigate these complex, cross-border investigations?
That’s a really important question! I think one key element is establishing clear lines of communication and data-sharing protocols *before* an incident occurs. Having pre-agreed frameworks with international counterparts could really streamline investigations when time is of the essence. What are your thoughts?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The ICO’s investigation highlights the risks of neglecting early warning signs. Investing in threat intelligence platforms to proactively identify credential stuffing attacks could significantly reduce the impact of breaches by identifying compromised credentials before they’re exploited.