UK fines 23andMe £2.31 million over cyberattack that exposed personal data of 155,000 UK users

The UK’s Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for "serious security failings" that led to a major data breach in 2023. The breach exposed the sensitive personal information of 155,592 individuals in the United Kingdom, including health data, racial and ethnic backgrounds, family relationships, and partial location details.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada (OPC). The probe revealed that the California-based DNA testing company failed to implement adequate safeguards to protect UK users’ data and responded too slowly after the breach was discovered.

Between April and September 2023, hackers accessed user accounts through a method known as "credential stuffing," using login credentials stolen from other breaches to gain access to 23andMe’s systems. The attackers initially compromised around 14,000 user accounts, but because of the way 23andMe’s relative matching feature works, they were able to access personal data linked to approximately 6.9 million individuals worldwide.

Although no raw DNA files were compromised, the stolen data included names, birth years, some addresses, profile images, racial and ethnic identifiers, family trees, and in some cases, health reports. The ICO classified much of this as special category data under UK law, which is subject to stricter protections due to its sensitive nature.

In its findings, the ICO determined that 23andMe lacked appropriate authentication protocols, including the absence of mandatory multi-factor authentication. The firm also failed to enforce secure password standards or require additional verification for users attempting to download their genetic data. Furthermore, its internal systems did not adequately monitor or detect cyber threats, nor did it respond promptly to clear indicators of unauthorized access.

The breach was not confirmed by the company until October 2023, when an employee found the stolen data being advertised for sale on Reddit. This was several months after the initial intrusion and weeks after preliminary internal investigations had begun.

"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK," said UK Information Commissioner John Edwards. “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

Canada’s Privacy Commissioner Philippe Dufresne echoed those concerns, stressing the need for firms handling sensitive personal information to treat data protection as a core priority. He highlighted the collaborative nature of the investigation as a model for addressing international privacy violations.

The fallout from the breach has coincided with a turbulent period for 23andMe. The company filed for bankruptcy protection in the United States in March 2025, citing financial struggles and reputational damage. The data breach has fueled user mistrust, prompting many to seek deletion of their data from the company’s databases.

In the wake of its financial troubles, 23andMe was initially set to be acquired by Regeneron Pharmaceuticals for $256 million. However, a competing $305 million bid from TTAM Research Institute, a non-profit biotechnology group led by 23andMe co-founder and former CEO Anne Wojcicki, ultimately prevailed in a bankruptcy auction.