23andMe Fined £2.3m Over Major UK Data Breach That Exposed Sensitive Genetic Details
The UK’s data protection watchdog has fined DNA testing firm 23andMe £2.31 million for failing to adequately protect the personal information of thousands of users affected by a major data breach in 2023.
According to the Information Commissioner’s Office (ICO), the breach – which impacted more than 155,000 UK residents – exposed highly sensitive data, including health information, ethnicity, family history, and profile images. The incident was labelled “profoundly damaging” by Information Commissioner John Edwards, who criticised the company’s weak security controls and slow response.
“This breach affected deeply personal information that, unlike passwords or credit card numbers, can’t simply be changed or replaced,” Edwards said in a statement.
The data breach stemmed from a “credential stuffing” attack in October 2023, where hackers used login details leaked in earlier cyber incidents to access 23andMe accounts. Around 14,000 accounts were directly compromised, but due to the platform’s relative matching feature, nearly 6.9 million individuals were indirectly affected.
Although DNA files themselves were not accessed, attackers were able to obtain names, locations, ethnic background, and health reports – data classified as “special category” under UK law, requiring stricter safeguards.
The ICO investigation, conducted jointly with Canada’s privacy commissioner, found that 23andMe had failed to implement essential security practices. These included the absence of mandatory multi-factor authentication (MFA), inadequate password requirements, and insufficient checks for users downloading genetic data.
“The company’s poor data security and failure to act swiftly left users exposed to significant risk,” Edwards said. “They were clearly unprepared for an attack of this scale, despite clear warning signs.”
23andMe, which has since filed for bankruptcy in the U.S., initially planned to sell its assets to Regeneron Pharmaceuticals in a $256 million deal. However, a new agreement has now been reached with TTAM Research Institute – a non-profit biotech organisation led by 23andMe co-founder and former CEO Anne Wojcicki – for a revised price of $305 million.
TTAM has committed to upholding privacy protections, including allowing users to delete their genetic data, opt out of research, and close their accounts.
The ICO stated that while 23andMe addressed the failings identified during the investigation by the end of 2024, both UK and Canadian authorities will continue to monitor how the company protects personal data amid its ongoing restructuring.
With genetic data increasingly used in health, ancestry, and research services, the regulator warned that firms handling such information must meet the highest data protection standards to avoid similar incidents.