Genetic testing company 23andMe has been fined over £2.3m for failing to protect the personal data of more than 150,000 UK residents after a cyberattack in 2023. The breach exposed sensitive information including family trees, health reports, and postcodes.
The UK Information Commissioner’s Office (ICO) found that 23andMe had inadequate security systems and failed to implement basic steps to protect user authentication. The hacker exploited a common weakness caused by users reusing passwords that had already been stolen in other breaches, using automated tools to try these passwords.
The ICO described the breach as “profoundly damaging” and said it left people’s sensitive data vulnerable to exploitation and harm. John Edwards, the information commissioner, stated that once the data is compromised, it cannot be changed or reissued like a password or credit card number.
23andMe has since implemented steps to increase security, including allowing individuals to delete their account and opt out of research at any time. The company’s former CEO Anne Wojcicki’s non-profit also made commitments to enhance protections for customer data and privacy as part of the acquisition deal.
Source: https://www.theguardian.com/technology/2025/jun/17/dna-testing-firm-23andme-fined-23m-by-uk-regulator-for-2023-data-hack