UK regulator fines 23andMe over massive genetic data breach

The U.K. Information Commissioner’s Office (ICO) has fined U.S.-based 23andMe £2.31 million for serious security failures that resulted in a 2023 data breach compromising the sensitive genetic and personal data of more than 155,000 British customers. The decision was made after a joint investigation with Canada’s Office of the Privacy Commissioner.

Issued under the Data Protection Act 2018, the Penalty Notice follows a comprehensive investigation conducted jointly with the Office of the Privacy Commissioner of Canada. This cross-border inquiry found that 23andMe violated Articles 5(1)(f) and 32(1) of the U.K. General Data Protection Regulation (U.K. GDPR), which require data controllers to implement adequate safeguards to protect personal data against unauthorized access, loss, or disclosure.

The penalty comes on the heels of a U.S. House Committee on Oversight and Government Reform hearing earlier this month which marked a critical juncture in the national conversation in the U.S. about the intersection of biotechnology, privacy, and national security. The hearing was prompted by the impending bankruptcy sale of 23andMe and marks a critical turning point in how the U.S. confronts the implications of biometric data, AI, and corporate accountability in the digital age.

The 23andMe breach occurred through a credential stuffing attack, a method in which hackers exploit users’ reuse of login credentials from other sites to gain access to their 23andMe accounts. The attack began as early as April 2023 and lasted for months without detection, despite signs of unauthorized access. Among the affected were individuals whose data included highly sensitive information such as raw genetic data, ancestral origins, family trees, and health-related insights. According to the U.K. ICO’s penalty notice, some data appeared to have been grouped and offered for sale based on ethnicity, including reports targeting Jewish individuals and families.

The investigation revealed that 23andMe lacked basic protections such as multi–factor authentication (MFA), secure password protocols, and effective monitoring systems. The company also failed to perform regular testing of its security measures and did not adequately restrict access to the raw genetic data that customers could download through their accounts. Until November 2023, users could access their raw DNA files without additional identity verification, and these files were only delayed by a short wait time, offering little deterrent to cybercriminals.

Warnings were missed or dismissed. As early as July 2023, 23andMe’s systems experienced unusual login spikes and internal reports flagged anomalies suggestive of attempted data theft. By August, the firm had received threats and messages through its customer contact portal from individuals claiming to possess vast quantities of user data. These threats were ignored or deemed hoaxes, and a full investigation was only initiated in October 2023, after the stolen data surfaced for sale on online forums including Reddit and BreachForums.

In total, over 6.9 million accounts were reportedly affected globally, with the attacker exploiting features like DNA Relatives and Family Tree, which allowed deeper access into connected profiles. The ICO’s findings emphasized the unique sensitivity of genetic data, which, unlike passwords or emails, cannot be changed or revoked once leaked. Some victims reported severe emotional distress, citing fears of discrimination, targeted attacks, and the irreversible exposure of private family histories.

The penalty was reduced from an initial proposed amount of £4.59 million considering 23andMe’s dire financial position since having filed for Chapter 11 bankruptcy in the U.S. citing over $2.4 billion in accumulated losses. Nonetheless, the ICO concluded that a financial penalty was still necessary to ensure an effective and dissuasive response to the breaches.

The case underscores the enduring risks posed by credential stuffing attacks and the pressing need for companies handling biometric or genetic information to implement rigorous cybersecurity standards. Following the incident, 23andMe implemented mandatory MFA and introduced stricter access protocols for raw DNA downloads, including additional identity verification and a 48-hour delay.

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the U.K.,” U.K. Information Commissioner John Edwards said. “As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”

Edwards said “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm. We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of U.K. residents.”

Edwards’ Canadian counterpart, Philippe Dufresne, echoed this concern, saying “strong data protection must be a priority for organizations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable.”

The penalty notice serves as a broader warning to the biotechnology and direct-to-consumer genetic testing industries. It reflects an evolving global standard in data protection enforcement, particularly as governments increasingly collaborate across borders to hold multinational firms accountable. As part of the fallout, 23andMe is also facing class-action lawsuits in the U.S., U.K., and Canada, brought by consumers seeking compensation for the mishandling of their data.

For the public, the breach serves as a cautionary tale. The ICO advises all individuals to use unique passwords across accounts, enable multi-factor authentication, and remain vigilant against phishing scams, especially when their data includes biometrics or genetic markers that could be exploited.

Despite financial challenges and ongoing litigation, 23andMe has promised to continue strengthening its security protocols. Whether that will be sufficient to restore public trust in genetic testing companies remains uncertain.

23andMe co-founder and former CEO Anne Wojcicki has submitted a $305 million bid to acquire “substantially all” of 23andMe’s assets via her nonprofit TTAM Research Institute as part of 23andMe’s Chapter 11 bankruptcy process.

Meanwhile, a coalition of 27 state attorneys general filed in federal bankruptcy court to challenge any transfer of genetic data without explicit user consent, even as 23andMe and its bidders argue that the sale conforms with privacy policies.

Article Topics

23andMe  |  biometric data  |  cybersecurity  |  data protection  |  Information Commissioner’s Office (ICO)