Genetic testing giant 23andMe has been hit with a significant £2.31 million fine by the UK’s privacy watchdog following a major data breach that exposed sensitive personal information, family histories, and health reports of thousands. The Information Commissioner’s Office (ICO) branded the incident “profoundly damaging,” citing serious security failures by the company.
The penalty comes after a year-long joint investigation by the ICO and the Office of the Privacy Commissioner of Canada (OPC) into security lapses that allowed attackers to access user data. Information Commissioner John Edwards stated that 23andMe failed to implement adequate measures to protect highly sensitive user data prior to the 2023 incident, despite handling genetic data classified as “special category data” under UK law, which requires enhanced protections.
How the Breach Occurred
The breach, which took place between April and September 2023, was the result of a “credential stuffing” attack. This sophisticated technique saw hackers utilize login credentials (usernames and passwords) that users had previously exposed in breaches on other unrelated websites. By reusing these credentials, attackers gained unauthorized access to 23andMe accounts.
The company’s security systems were found to be inadequate to prevent this type of attack. Specifically, the ICO identified critical failures including:
Lack of mandatory multi-factor authentication (MFA) for user logins, a basic security layer.
Insecure password requirements that didn’t prevent the use of easily compromised credentials.
Absence of sufficient measures to prevent or detect attackers accessing and downloading bulk data, including information related to users’ raw genetic data reports.
Inadequate monitoring, detection, and response mechanisms for security threats targeting user data.
Critically, the attack reportedly went undetected for five months, from April to September 2023. 23andMe only launched a full investigation and publicly acknowledged the breach in October 2023, after stolen data appeared for sale online, including on platforms like Reddit and BreachForums.
Scope and Sensitivity of Exposed Data
While attackers directly accessed only about 14,000 individual accounts, the widespread use of 23andMe’s “DNA Relatives” feature dramatically amplified the impact. This feature allows users to connect and share data with potential relatives identified through their genetic information.
Through the compromise of a relatively small number of accounts, attackers were able to access information relating to approximately 6.9 million people linked as possible relations globally. This included data belonging to 155,592 UK residents.
The exposed data was highly sensitive, encompassing:
Personal identification information like names, year of birth, geographical location (city/postcode), and profile images.
Detailed family histories and family trees.
Race and ethnicity information.
Sensitive health reports derived from genetic data.
In some cases, specific health conditions and addresses.
It is important to note that while extensive sensitive data derived from genetic analysis was accessed, 23andMe maintained that the attackers did not steal users’ raw DNA sequence data itself.
Information Commissioner John Edwards underscored the severe nature of the exposed data: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions… Once this information is out there, it cannot be changed or reissued like a password or credit card number.” He further criticized the company, stating, “Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
Context: Bankruptcy, Sale, and Future Commitments
The ICO fine comes as 23andMe navigates Chapter 11 bankruptcy proceedings, filed in March 2024 following several years of financial difficulties exacerbated by the data breach.
The company, which had previously engaged in commercial deals to sell users’ de-identified genetic data to pharmaceutical and biotech firms like GSK (reportedly over 30 such deals), is now set to sell its assets for $305 million (£225 million) to TTAM Research Institute. TTAM is a non-profit biotech organization led by 23andMe’s co-founder and former CEO, Anne Wojcicki.
As part of the proposed sale, pending bankruptcy court approval, TTAM has made several binding commitments aimed at enhancing customer data protection and privacy. These include:
Upholding existing policies that allow customers to delete their accounts and genetic data.
Allowing customers to opt-out of research participation.
Providing notification about the acquisition’s implications.
Committing that any future sale would adhere to TTAM’s privacy policies and data laws.
Pledging not to sell genetic data in bankruptcy without adhering to its privacy rules.
Offering two years of free identity theft monitoring to affected users.
Continuing to allow the use of de-identified data for scientific and biomedical research.
Both the UK and Canadian privacy watchdogs had recently urged 23andMe to prioritize protecting sensitive customer data during its bankruptcy process.
Wider Legal Landscape and Redress
The UK fine adds to the legal pressures on 23andMe stemming from the breach. In the US, the company faced multiple class-action lawsuits and agreed to a $30 million settlement to resolve claims for 6.4 million affected customers worldwide. Several US state attorneys general have also taken legal action to protect user data during the sale process.
Commentary has highlighted the contrast in victim redress mechanisms between the UK and US, where the ICO fine goes to the state, while the US settlement provides direct compensation to affected individuals. Solicitors note that the lack of a robust class-action system for data breaches in the UK hinders individuals from seeking redress and reduces accountability for companies.
While 23andMe claims it resolved the fundamental security issues identified by regulators by the end of 2024, regulators noted the significant delay in addressing the vulnerabilities that left sensitive data exposed for months.
The incident serves as a stark reminder of the immense sensitivity of genetic and health data and the critical need for companies holding such information to implement and maintain the highest levels of security and vigilance. Experts continue to advise consumers to carefully consider the implications before sharing their genetic information online.
References
- www.bbc.com
- www.bleepingcomputer.com
- <a href="https://www.theregister.com/2025/06/17/23andmeicofine/”>www.theregister.com
- news.sky.com
- www.bbc.com
