A landmark £2.31 million ($3.1 million) fine has been issued against 23andMe by the UK’s Information Commissioner’s Office (ICO), responding to a security failure that compromised the genetic and personal profiles of more than 155,000 UK users.
This penalty follows a separate settlement of $30 million reached in the United States after a broader data breach impacted millions more.
The breach stemmed from a credential stuffing attack in 2023, where cyber intruders used login details previously leaked in unrelated data breaches to infiltrate 23andMe’s systems.
Once inside, attackers accessed a wide array of intimate data, ranging from names and locations to racial background, health reports, and genealogical connections.
This method of attack has become increasingly widespread, exacerbated by lax password reuse and the rise of automated credential testing tools.
A joint probe by the UK and Canadian privacy authorities uncovered a troubling pattern of negligence.
Despite growing industry consensus around multi-factor authentication (MFA) as a baseline standard, 23andMe had not implemented it.
Investigators also flagged the company’s slow reaction to a massive login attempt targeting one million accounts in a single day during July 2023, a missed red flag that could have limited the scope of the breach.
UK Information Commissioner John Edwards criticized the firm’s lack of preventative action, stressing the uniquely permanent nature of genetic data. “The exposed information was profoundly damaging,” he said. “Unlike passwords or credit card numbers, this type of personal data cannot be changed or reissued once compromised.”
The ICO’s decision to impose the maximum allowable fine reflects the seriousness of 23andMe’s security lapses.
It also signals a broader shift in regulatory posture, as UK data authorities bolster oversight of biometric and genetic data.
