UK fines 23andMe for ‘profoundly damaging’ breach exposing genetics data

The UK Information Commissioner’s Office (ICO) has fined genetic testing provider 23andMe £2.31 million ($3.12 million) over ‘serious security failings’ that led to a ‘profoundly damaging’ data breach in 2023.

The data protection watchdog said today that 23andMe failed to protect the sensitive data of UK residents who had their genotype data, health reports, and personal information stolen in credential stuffing attacks using stolen login credentials that went unnoticed for five months between April 2023 and September 2023.

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” said John Edwards, UK’s Information Commissioner. “As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”

As the genomics company disclosed in data breach notification letters sent to impacted individuals, some of this extremely sensitive stolen data was released on the unofficial 23andMe subreddit site and the BreachForums hacking forum. 

The leaked information included the data of 4.1 million people living in the United Kingdom and Germany, as well as that of 1 million Ashkenazi Jews.

After discovering this extensive breach, 23andMe implemented measures to block similar incidents, including enabling two-factor authentication by default and requiring customers to reset passwords.

“As part of our regulatory process, we took into consideration representations from 23andMe, before deciding on whether to impose a financial penalty, and the final amount of the penalty,” an ICO spokesperson told BleepingComputer when asked how the fine amount was calculated. 

“The amount of this fine has been set in accordance with our Data Protection Fining Guidance | ICO. This specific section of the fining guidance details the maximum amount we may fine a company.”

This fine comes after the California-based genetic testing provider filed for Chapter 11 bankruptcy in late March and announced that it plans to sell its assets following multiple years of financial struggles.

The 2023 data breach has led to multiple class-action lawsuits, which prompted 23andMe to amend its Terms of Use in November 2023 to make it harder to get sued. However, the company claimed the changes only aimed to simplify the arbitration process.

In September 2024, the DNA testing giant agreed to pay $30 million to settle a lawsuit over the 2023 data breach that had exposed the data of 6.4 million customers worldwide.