Genetic testing firm 23andMe has been fined £2.31 million by the UK’s data protection watchdog for “serious security failings” after personal information of more than 155,000 UK users was accessed in a major cyber attack.
The Information Commissioner’s Office (ICO) said the DNA testing kit firm, which filed for bankruptcy in the US in March, failed to properly protect UK user data and also responded inadequately to the hack in 2023.
The penalty follows a joint investigation between the ICO and the Office of the Privacy Commissioner of Canada.
The attack, which took place between April and September 2023, saw personal information of 155,592 UK residents accessed by the hacker, potentially revealing names, birth years, some addresses, profile images, race, ethnicity, family trees and health reports.
Between April and September 2023, a hacker carried out a credential stuffing attack gaining access to this sensitive information.
— ICO - Information Commissioner's Office (@ICOnews) June 17, 2025
Learn all the details about our joint investigation on our website: https://t.co/4bYXHnkY5F pic.twitter.com/hFlXfdG1lA
The ICO said its investigation found 23andMe did not have extra verification steps for users to access and download their raw genetic data, while it also failed to have adequate authentication and verification measures in place, such as mandatory multi-factor authentication, secure password protocols or unpredictable usernames.
The firm also did not have effective systems in place to monitor, detect or respond to cyber threats targeting its customers’ sensitive information.
Information Commissioner John Edwards said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories and even health conditions of thousands of people in the UK.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information.
“Their security systems were inadequate, the warning signs were there, and the company was slow to respond.
“This left people’s most sensitive data vulnerable to exploitation and harm.”
The fine comes as the firm’s former chief executive, Anne Wojcicki, looks set to regain control of 23andMe after outbidding rival suitor, Regeneron Pharmaceuticals.
A 305 million US dollar (£226 million) bid from a non-profit firm she controls topped a rival 256 million dollar (£190 million) offer from Regeneron Pharmaceuticals in a bankruptcy auction.
The deal is expected to close in the coming weeks.
The ICO said 23andMe was first hacked in April 2023, when it was hit with a so-called credential stuffing attack.
In August 2023, a claim of data theft affecting more than 10 million users worldwide was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform the previous month, according to the ICO.
The hacker launched another attack in September of that year, but the company did not start a full investigation until October, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit.
“Only then did 23andMe confirm that a breach had occurred,” the ICO said.
Canada’s privacy commissioner Philippe Dufresne said: “Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information.
“With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.”
He added that the joint probe with Britain’s ICO shows “how regulatory collaboration can more effectively address issues of global significance”.
23andMe filed for bankruptcy protection in the US in March, after struggling with heavy losses and facing the aftermath of the data hack.
Privacy experts have since raised concerns about what could happen to the vast amounts of genetic and other personal data the company holds if it is sold to a third-party, with many urging users to log in and request their data be deleted.
The ICO said it received complaints from 23andMe customers concerned about their personal data being hacked amid fears it could be used by financial fraud, surveillance or discrimination.
One affected customer told the ICO: “Disgusted that my DNA data could be out there in the wild and been exposed to bad actors.
“Extremely anxious about what this could mean to my personal, financial and family safety in the future.”
