23andMe, a popular consumer genetics company, has been fined £325,000 by the UK’s Information Commissioner’s Office (ICO) for failing to adequately protect sensitive genetic data. The penalty follows a 2023 data breach that exposed the personal and ancestral information of nearly 7 million users, prompting widespread concern over the security of DNA-based services.
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has issued a £325,000 fine to DNA testing company 23andMe after finding that it failed to protect the personal data of nearly 14,000 customers. The ICO described the lapse as “poor governance” that allowed access to genetic data via website search functions. The ICO identified that, due to weak internal processes, some users’ raw genetic profiles remained accessible even after they deleted their accounts. The breach persisted until the company rectified the issue under regulatory pressure.
In October 2023, 23andMe detected a major security breach originating from credential-stuffing attacks. The breach allowed unauthorized access to approximately 14,000 individual accounts, but via the DNA Relatives feature, the attackers scraped sensitive personal details of nearly 6.9 million users, including family trees, birth years, and locations. Following the discovery of the breach both the UK’s Information Commissioner’s Office and Canada’s privacy watchdog launched a joint investigation into whether 23andMe had implemented sufficient protections.
The inquiry focused on the company’s authentication protocols and overall response to the breach. This newfound ICO fine is a direct consequence of that investigation, exposing persistent governance gaps even months after alarms were raised.
Go deeper: Investigation launching against 23andMe hack
According to a BBC report, ICO’s John Edwards said “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions.” He further went on to state that “Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
Unauthorized access to such information opens the door to a range of risks, including identity theft, medical fraud, and genetic discrimination by insurers or employers.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Credential stuffing is a cyberattack method where hackers use stolen usernames and passwords from other breaches to gain access to accounts.
Read also: How credential stuffing influences healthcare
In the UK, genetic data is classified as special category data under the UK GDPR and requires enhanced protection. In the U.S., laws like GINA (Genetic Information Nondiscrimination Act) offer protection for genetic data.