On June 5, 2025, the UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31 million (~$3.1 million). The fine was for failing to implement adequate security measures to protect the personal data of over 155,000 UK users. The penalty followed a joint investigation with the Office of the Privacy Commissioner of Canada, highlighting how regulators are increasingly working together to investigate breaches of data protection legislation.
The ICO’s penalty notice is available here. See also its recent actions against Advanced Computer Software Group and DPP Law for similar security failings.
What is 23andMe?
23andMe is a US-based personal genomics and biotechnology company. It offers direct-to-consumer genetic testing services. Customers send in saliva samples to receive insights into ancestry, health risks, and genetic traits. They can also access health reports and download raw genetic data. With millions of users worldwide, the company holds large amounts of sensitive personal and genetic data.
It recently entered bankruptcy proceedings, but a US bankruptcy court has recently approved the sale of its assets to a non-profit led by 23andMe’s founder and former CEO.
What happened?
In 2023, 23andMe suffered a cybersecurity breach caused by a credential stuffing attack that lasted several months, from April to September. An unauthorized third party used stolen credentials from unrelated breaches to access user accounts.
23andMe became aware of the issue in August 2023. It received messages through its customer portal and saw a post on the Hydra Market platform. These posts purported to be from the unauthorized third party who claimed to have accessed over 300 terabytes of data, including 10 million DNA records. The ICO’s notice states that 23andMe opened an internal IT ticket upon receipt of the messages but shortly closed it, believing the issue was a hoax.
In October 2023, personal data of 23andMe customers appeared for sale on multiple forums. The unauthorized third party claimed the data was targeted based on racial and ethnic background. Upon discovery of this 23andMe reopened its investigation, took steps to contain the breach, and notified customers on October 6. It informed the ICO on October 15. As part of its investigation, 23andMe found that eight accounts may have been accessed in similar un-related attacks in 2019 and 2020.
What personal data was impacted?
It is believed that approximately half of 23andMe’s customer base was affected (~14 million customers). The data varied by customer. However, some of it included special category data such as health information, genetic data, and racial or ethnic origin.
Failings identified by the ICO
Given the sensitivity of the data, the ICO found that 23andMe failed to implement proper technical and organizational safeguards. These included:
- Not using multi-factor authentication (MFA) for logins
- Inadequate controls to restrict the ability to download raw genetic data
- Poor monitoring and incident response systems
- Requiring that customers use email addresses as usernames rather than unpredictable usernames
- Weak password policies including not checking passwords against a list of common words and known compromised credentials
- No device or browser fingerprinting to track account access
- No extra verification steps required before allowing customers to download raw data
Key takeaways
The ICO again emphasized the importance of MFA, as it did in the Advanced and DPP Law cases. It rejected 23andMe’s argument that its older customer base lacked digital skills required to effectively use MFA.
Credential stuffing is a known risk for online services and as such, the ICO expects companies to have tested processes in place to prevent such attacks.
It is important to ensure individual notifications comply with Article 34(2) GDPR requirements. 23andMe failed in its individual notifications to include the breach period, did not mention that raw genetic data may have been accessed, and did not explain the potential consequences of the breach.
The ICO will usually treat lack of cooperation as an aggravating factor. In this case, 23andMe:
- Did not provide information in the requested format
- Missed deadlines
- Frequently asked for extensions
- Delayed key disclosures
- Changed previous responses
- Failed to update the ICO while informing other regulators
Due to 23andMe’s financial difficulties, the ICO treated its lack of cooperation as a neutral factor. However, the fine shows the importance of engaging external legal counsel and forensic providers to conduct a thorough investigation and deliver structured regulatory response strategy.