The UK Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million (approximately USD 3.12 million) for serious security failures that led to a major data breach in 2023, exposing the sensitive personal and genetic information of millions.
The breach, which remained undetected for five months between April and September 2023, was caused by credential stuffing attacks using stolen login credentials. According to the ICO, the compromised data included genotype data, health reports, family histories, and personal information belonging to UK residents.
“This was a profoundly damaging breach,” said UK Information Commissioner John Edwards. “Once this information is out there, it cannot be changed or reissued like a password or credit card number.”
The stolen data appeared on the BreachForums hacking forum and even the unofficial 23andMe subreddit, further amplifying the privacy risk. The breach affected 4.1 million people in the UK and Germany, and 1 million Ashkenazi Jews—a particularly sensitive demographic due to historical targeting and genetic tracing.
In response, 23andMe rolled out stronger security measures, including mandatory two-factor authentication and password resets for all users. Despite these updates, the breach has had lasting consequences. The company is facing multiple class-action lawsuits and, in September 2024, agreed to a $30 million settlement in the U.S.
The ICO stated that the fine amount was calculated based on its Data Protection Fining Guidance, factoring in representations from 23andMe. The penalty also comes shortly after the California-based company filed for Chapter 11 bankruptcy in March 2025, citing prolonged financial difficulties.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
