23andMe: Genetic testing company fined £2.31m after cyberattack exposed family data of over 150,000 UK users

The fine follows a joint investigation by the UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada, which found that 23andMe had failed to implement basic security measures, allowing hackers to access deeply personal and potentially harmful information through a credential stuffing attack - a method where stolen login details from unrelated breaches are used to gain unauthorised access to other platforms.

According to the investigation, the attacker accessed names, birth years, locations, photos, family trees, health reports, race, and ethnic background details between April and September 2023. One of the most serious findings was that 23andMe did not require additional verification steps to download raw genetic data, despite the sensitivity of the information.

The investigation revealed that 23andMe ignored early warning signs. The first signs of malicious activity began in April 2023, with an intensified attack in May. In August, despite online claims that data had been stolen, the company dismissed it as a hoax. It wasn’t until October 2023, when a company employee found user data for sale on Reddit, that 23andMe confirmed the breach and launched a full investigation.

The company failed to use multi-factor authentication, did not enforce secure password policies, and lacked systems to detect or respond quickly to threats, according to the ICO.

UK Information Commissioner John Edwards said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond,” he added.

The Canadian Privacy Commissioner, Philippe Dufresne, said: “Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information.”

Affected users expressed deep concern to the ICO. One said: “I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you can't change your genetic makeup when a data breach occurs.” Another described being “disgusted that my DNA data could be out there in the wild and exposed to bad actors.”

What has happened to 23andMe?

Founded as a pioneer in at-home DNA testing, 23andMe has suffered a dramatic fall in recent years. In November 2024, the company laid off 40% of its workforce and scrapped all therapeutics development as part of a drastic restructuring effort.

CEO Anne Wojcicki said at the time: “We are taking these difficult but necessary actions as we restructure 23andMe and focus on the long-term success of our core consumer business and research partnerships.”

Following the 2023 breach, hackers attempted to sell the genetic and ancestral data of millions, including 1 million users of Ashkenazi Jewish descent and 100,000 of Chinese descent, fuelling a class-action lawsuit in the US over claims the company failed to notify affected groups.

In September 2024, all board members, except Wojcicki herself, resigned, citing disagreements over the company’s future and her attempts to take it private.“ It is also clear that we differ on the strategic direction for the Company going forward,” the board wrote in a public resignation letter.

23andMe has since implemented improved security measures that, according to the ICO, were sufficient to end the breach conditions by the end of 2024.

In March this year, the firm filed for bankruptcy protection in the US as part of an effort to sell the business, following multiple failed buyout attempts by its chief executive.

The company announced it had voluntarily entered Chapter 11 proceedings in the US Bankruptcy Court for the Eastern District of Missouri to “facilitate a sale process to maximise the value of its business.”

Despite the filing, the loss-making company said it would continue operating as normal during the sale process. “There are no changes to the way the company stores, manages, or protects customer data,” it added.

The San Francisco-based firm also confirmed that Wojcicki would be stepping down. Wojcicki had been seeking to take the company private since April last year, but her efforts were repeatedly rejected by the company’s board.