The UK’s data protection regulator has fined genetic testing firm 23andMe £2.31 million following a large-scale data breach in 2023 that exposed the personal and sensitive health information of thousands of users, including over 155,000 UK residents.
The Information Commissioner’s Office (ICO) said on Monday that 23andMe had failed to implement basic security measures, leaving sensitive user information—including health reports, racial and ethnic identity, profile images, and family histories—vulnerable to cyberattack.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions,” said Information Commissioner John Edwards. “Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
The breach originated in October 2023, when hackers launched what’s known as a “credential stuffing” attack. Using usernames and passwords obtained from previous unrelated data leaks, attackers were able to access 14,000 individual 23andMe accounts. Crucially, because 23andMe links users to their genetic relatives, this gave attackers the ability to extract data on an estimated 6.9 million people connected through the platform.
Although DNA data was not compromised, the stolen information included special category data under UK law—such as ethnicity, health information and familial relationships—which requires stricter protection under GDPR due to its highly sensitive nature.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number,” Edwards said.
The ICO’s investigation, conducted in parallel with the Office of the Privacy Commissioner of Canada (OPC), found that 23andMe had breached UK data protection law by failing to implement multi-factor authentication (MFA), weak password policies, and insufficient controls over downloading raw genetic data.
The fine comes as 23andMe is undergoing bankruptcy proceedings and preparing to sell its assets. The company said last week it had agreed to a $305 million sale to the TTAM Research Institute, a non-profit biotechnology group led by co-founder and former CEO Anne Wojcicki. The deal is set to be reviewed by a bankruptcy court on Wednesday.
The sale replaces a previously proposed $256 million deal with Regeneron Pharmaceuticals. According to 23andMe, the higher-value TTAM deal includes binding commitments to enhance customer privacy and data protection—key concerns raised by regulators in both the UK and Canada.
Under the terms of the acquisition, the company said it would continue to allow users to delete their accounts, erase genetic data, and opt out of research participation.
In a statement, 23andMe said it had addressed the issues raised by the ICO and OPC by the end of 2024, implementing the recommended changes including additional security features.
Still, regulators remain cautious. Both watchdogs have called on the company to uphold ongoing privacy standardsduring and after the bankruptcy sale, particularly due to the sensitive nature of the data it holds.
The case represents a significant moment in the regulation of consumer-facing tech firms handling biometric and health-related data. While companies like 23andMe have gained popularity for their accessible genetic testing services, privacy advocates have long raised concerns about how such sensitive data is stored, shared, and monetised.
The ICO said it hoped the fine would send a message across the sector.
“This case highlights the need for robust authentication and verification processes,” Edwards added. “Organisations handling sensitive data must do more than the minimum to protect it.”
As data security standards tighten globally and consumer trust continues to falter in the wake of high-profile breaches, companies dealing in personal genomics may face increased scrutiny over how they manage the intersection of science, commerce, and privacy.
Read more:
UK watchdog fines 23andMe for ‘profoundly damaging’ data breach