Regulatory Wake Up Call: Information Commissioner Fines 23andMe £2.31m for Failing to Protect Genetic Data

The Information Commissioner's Office ("ICO") has fined genetic testing giant 23andMe £2.31 million, citing “inadequate security measures” that led to a cyberattack in 2023 exposing the personal data of over 150,000 UK users - and almost 7 million users worldwide. ICO Commissioner, John Edwards, described the cyberattack as a “profoundly damaging breach”, noting that once leaked, users' most sensitive genetic data cannot be changed like a password.

What happened

Between April and September 2023, a hacker used credential stuffing - reusing stolen login credentials from other previous unrelated data breaches - to access 155,592 UK user accounts. The attack went undetected until October 2023, only coming to light when stolen data was advertised for sale on Reddit.

As a result, the hacker accessed the users' personal information including their names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. 

ICO's response

The ICO launched a joint investigation with the Office of the Privacy Commissioner of Canada, given the international impact of the cyberattack and the highly sensitive nature of the personal information involved. Mr Edwards commented, "[d]ata protection doesn't stop at borders, and neither do we when it comes to protecting the rights of UK residents".

The investigation found that at the time of the cyberattack 23andMe:

1. Failed to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication ("MFA"), secure password protocols or unpredictable usernames; and 
2. Failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect or respond to cyber threats targeting its users' personal information.

Further, that 23andMe failed to adequately respond to the cyberattack, given the significant time it took for 23andMe to identify and confirm the cyberattack.

The above failures led to a preliminary fine of £4.59 million, which was adjusted down to £2.31 million for 23andMe's co-operation and representation during the investigation.

Full details of the cyberattack and investigation can be found in the ICO's monetary penalty notice here.

The aftermath

It comes as no surprise that the aftermath has been significant for 23andMe with the penalty following numerous class action and arbitration claims in the US, Canada and the UK, investigations by US regulators, dealing with the resignation of the company's entire Board of Directors in September 2024 and filing for bankruptcy protection in March 2025.

Although it is not all doom and gloom as, by the end of 2024, 23andMe had sufficiently improved its security to bring an end to the breaches identified in the ICO's provisional decision. These improvements included the enabling of MFA (which did become mandatory after November 2023), promising to not sell or transfer genetic data without the user's consent, and offered identity monitoring services to affected UK users.

Our comment

The fine imposed on 23andMe and the ongoing impacts on its business serve as a wake up call for organisations to ensure that they are adequately protecting personal information. Especially those who obtain and retain highly sensitive personal information that cannot be changed. 

In today’s digital landscape, the threat of cyberattacks is not a matter of if, but when. Whether you are a small business, charity or large organisation, we urge you to treat cyber security and data protection as critical aspects of risk management.

To mitigate these risks, organisations must take a proactive approach. To this end, drawing directly from the ICO’s action against 23andMe, organisations should ensure that they implement the following:

1. Appropriate authentication and verification measures, such as mandatory multi-factor authentication and password security policies; 
2. Effective security measures specifically focussed on the access to, and download of, special category data; and
3. Measures to monitor, detect and appropriately respond to threats of customer personal data such as device, browser or connection fingerprinting and access to device history. 

When a data breach does occur, organisations should provide the following key information when alerting data subjects to the breach:

1. The period within which the data breach occurred; 
2. Any possibility of special category having been accessed by the threat actor; and 
3. The likely consequences which could result from the data breach. 

You can read more of our practical cyber security tips here.

Protecting data is not just about compliance - it is about safeguarding the trust that underpins every client and stakeholder alike. 

If you have any questions about how to be prepared for a cyberattack or your organisation's data protection obligations, please contact Hetal Ruparelia, Matthew Garbutt, Avary Patutama or Georgia Maskell.