ICO fines bankrupt 23andMe £2.3m for massive privacy breach

By Josh White

Date: Tuesday 17 Jun 2025

(Sharecast News) - DNA testing company 23andMe has been fined £2.31m by the UK's Information Commissioner's Office (ICO) for serious security failings that exposed sensitive personal data of over 155,000 UK residents in a large-scale cyber attack in 2023.
The penalty followed a joint investigation with the Office of the Privacy Commissioner of Canada, which found that the company failed to implement basic security protections and responded too slowly to emerging threats.

It occurred between April and September 2023, when a hacker used credential stuffing - exploiting passwords leaked in previous unrelated breaches - to access around 14,000 user accounts.

Due to the company's 'DNA Relatives' feature, which lets users connect with genetic matches, the initial breach ultimately exposed data belonging to nearly 6.9 million individuals globally.

The ICO found that 23andMe did not enforce multi-factor authentication or secure password protocols, and lacked adequate systems to detect or respond to cyber threats.

Notably, the company failed to apply additional verification before allowing users to download raw genetic data, despite its sensitive nature.

"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK," said information commissioner John Edwards.

"Once this information is out there, it cannot be changed or reissued like a password or credit card number."

The regulator also criticised the company's delayed response.

While malicious activity began in April 2023 and intensified in May and September, 23andMe only launched a full investigation in October - after an employee discovered stolen data being advertised on Reddit.

The company initially dismissed claims of a mass data theft in August, despite prior internal warnings.

By the end of 2024, the ICO acknowledged that 23andMe had made sufficient improvements to its security systems.

The ICO originally proposed a fine of £4.59m but reduced the amount after considering 23andMe's representations.

The company filed for Chapter 11 bankruptcy in the United States earlier in the year, and it was unclear how the fine would be paid.

The ICO said it was in close contact with the company's legal representatives and the US trustee overseeing the bankruptcy process.

23andMe is now set to be sold to the nonprofit TTAM Research Institute, led by its original co-founder Anne Wojcicki.

TTAM had made binding commitments to improve privacy protections, including allowing users to delete their accounts and data, opt out of research, and receive breach notifications.

Customers would also be offered two years of free identity theft monitoring.

While the ICO's fine goes to the UK Treasury, UK victims were not set to receive compensation.

In contrast, a US class action lawsuit had already secured $30m in damages for victims there.

23andMe had not commented publicly on the fine by the close of business on Tuesday.

Reporting by Josh White for Sharecast.com.

« Go back to news channel

Email this article to a friend

or share it with one of these popular networks:

• DIGG
• FACEBOOK
• STUMBLEUPON
• MIXX
• YAHOO BUZZ
• DELICIOUS
• REDDIT
• NEWSVINE