In June 2025, the UK’s Information Commissioner’s Office (ICO) imposed a £2.31 million fine on genetic testing company 23andMe for failing to protect the personal information of UK users. This penalty followed a joint investigation with Canada’s Office of the Privacy Commissioner into a 2023 cyberattack that exposed sensitive data of over 155,000 UK residents.
The Breach Unveiled
Between April and September 2023, hackers conducted a credential stuffing attack on 23andMe’s platform. They exploited reused login credentials from previous, unrelated data breaches to gain unauthorized access to user accounts. This attack compromised personal information, including names, birth years, locations, profile images, race, ethnicity, family trees, and health reports.
Security Lapses Identified
The ICO’s investigation revealed several security shortcomings in 23andMe’s platform. The company failed to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication and secure password protocols. Additionally, there were inadequate controls over access to raw genetic data, and the company lacked effective systems to monitor, detect, or respond to cyber threats targeting users’ sensitive information.
Inadequate Response to the Breach
Despite early signs of unauthorized activity, 23andMe’s response was slow. The company did not initiate a full investigation until October 2023, after an employee discovered that stolen data was being advertised for sale on Reddit. This delay left users’ sensitive data vulnerable to exploitation and harm.
Impact on Consumers
The breach had a profound impact on affected individuals. Personal information, including sensitive data like race, ethnicity, and health reports, was exposed. One complainant expressed concern, stating, “You can’t change your genetic makeup when a data breach occurs.” Another user felt “disgusted” and “extremely anxious” about the exposure of their DNA data.
Regulatory Findings and Penalty
The ICO concluded that 23andMe violated UK data protection laws by failing to implement appropriate security measures. The company was fined £2.31 million for these infringements. UK Information Commissioner John Edwards commented, “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
Industry Implications
This case serves as a stark reminder of the importance of robust data protection measures, especially for companies handling sensitive personal information. Organizations must prioritize cybersecurity to prevent similar breaches and protect user trust.
References
-
ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data. Information Commissioner’s Office. June 17, 2025. (ico.org.uk)
-
ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data. ICO Newsroom. June 17, 2025. (ico-newsroom.prgloo.com)
-
ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data. Scottish Legal News. June 18, 2025. (scottishlegal.com)
-
ICO fines 23andMe £2.3m for data security failings. UKGI – Aviva. June 20, 2025. (abc.ukgigroup.com)
-
DNA testing firm, 23andme, fined £2.31m by the ICO for data breach. Trowers & Hamlins law firm. July 2025. (trowers.com)
-
Regulatory Wake Up Call: Information Commissioner Fines 23andMe £2.31m For Failing To Protect Genetic Data. Security – United Kingdom. July 1, 2025. (mondaq.com)
-
ICO fines 23andMe £2.31 million over ‘profoundly damaging’ data breach. Computing. June 2025. (computing.co.uk)
-
23andMe. Wikipedia. October 2025. (en.wikipedia.org)
-
Credential stuffing. Wikipedia. October 2025. (en.wikipedia.org)
-
23andMe data leak. Wikipedia. October 2025. (en.wikipedia.org)
£2.31 million! Ouch! Guessing “What’s in your DNA?” is now followed by “What’s your incident response plan?”. Maybe they can offset the fine by selling anonymized data to cybersecurity firms for breach simulations? Double win!
Great point! That’s a creative way to look at offsetting the fine. Anonymized data, when handled ethically and securely, can indeed be valuable for cybersecurity firms to improve their breach simulations and defenses. It does raise interesting questions about data usage after a breach, though. Thanks for sparking the discussion!
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The slow response to early warning signs is concerning. How can organizations improve their threat detection and response times, especially when dealing with sensitive data and potential credential stuffing attacks? Would real-time monitoring and automated alerts be a viable solution?
That’s a crucial point about the slow response time! Real-time monitoring and automated alerts definitely seem like a strong step forward. Perhaps layered security approaches, including behavioral analysis, could further enhance threat detection and allow for a quicker response, minimizing potential damage. What other strategies do you think would be effective?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The mention of inadequate access controls is critical. Implementing the principle of least privilege, where users only have access to the data absolutely necessary for their roles, can significantly reduce the potential blast radius of a breach.
Absolutely! You’re spot on about least privilege. It’s not just about access, but also about regularly reviewing and revoking permissions when they’re no longer needed. What tools or processes have you found helpful in managing and auditing user access rights effectively?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
Given the sensitivity of genetic data, what specific measures, beyond those mentioned, could have prevented the exploitation of reused credentials in this instance? Would stricter password complexity requirements have sufficed, or was a more proactive approach needed?
That’s a really important question! I think a proactive approach is key. While stricter passwords help, measures like behavioral biometrics and adaptive authentication, which analyze login patterns, could flag suspicious activity even with valid credentials. What are your thoughts on the feasibility of implementing these more advanced techniques?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The ICO’s focus on “basic steps” highlights a critical need for foundational security hygiene. Beyond MFA, how can organizations ensure consistent and comprehensive application of security best practices across all user accounts and data access points?
That’s a great point about foundational security! Beyond MFA, I think regular security audits and vulnerability assessments are crucial. We also need to empower users with security awareness training so they can identify and report potential threats. What are your experiences with implementing effective training programs?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The ICO’s findings underscore the critical need for proactive threat detection. Beyond monitoring, how can organizations leverage AI and machine learning to identify anomalous user behavior and potential credential stuffing attacks in real time?
That’s a really important point about proactive threat detection. AI and machine learning offer incredible opportunities, but what about the ethical considerations of using these technologies to monitor user behavior? How do we balance security with user privacy?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
The delay in initiating a full investigation is notable. Beyond real-time monitoring, what role can threat intelligence sharing platforms play in proactively identifying and mitigating credential stuffing attacks across multiple organizations?
That’s a great question! Threat intelligence sharing platforms are definitely crucial. By sharing indicators of compromise across organizations, we can create a more robust defense. This collaborative approach could help proactively identify and block credential stuffing attempts before they cause significant damage. What are your thoughts on incentivizing participation in these platforms?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe
Given the sensitivity of genetic data, should companies handling such information be subject to higher security standards and more frequent audits than those handling less sensitive data?
That’s a great point! I think the sensitivity of genetic data definitely warrants a tailored security approach. Perhaps a framework similar to HIPAA in the healthcare sector could be adapted, with mandatory certifications and regular independent audits to ensure compliance. What are your thoughts on applying industry-specific regulations to genetic data security?
Editor: StorageTech.News
Thank you to our Sponsor Esdebe