The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users following a large-scale cyber attack in 2023.

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials stolen from previous unrelated data breaches.

This resulted in unauthorised access to personal information belonging to 155,592 UK residents, potentially exposing names, birth years, self-reported city or postcode-level locations, profile images, race, ethnicity, family trees, and health reports. The type and amount of data accessed varied depending on the details stored in each customer’s account.

In a statement on Tuesday, the ICO found that 23andMe had failed to introduce adequate security measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. These shortcomings allowed hackers to exploit vulnerabilities and access highly sensitive data.

The regulator also noted that 23andMe did not implement sufficient controls over access to raw genetic data and lacked effective systems to monitor, detect, or respond to cyber threats targeting customers’ information.

"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions," said information commissioner John Edwards.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm,” he added.

The ICO conducted its investigation alongside Canadian regulators, emphasising the importance of international cooperation in holding global companies accountable.

Philippe Dufresne, privacy commissioner of Canada, praised the joint effort, stating: “By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

In May, US biotechnology firm Regeneron agreed to acquire 23andMe for $256 million, with the deal expected to close in the third quarter of 2025. The agreement follows 23andMe’s filing for bankruptcy protection in the US two months prior.

---