"DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack", 17 June 2025

The genetic testing company 23andMe has been fined more than £2.3m for failing to protect the personal information of more than 150,000 UK residents after a large-scale cyberattack in 2023.

Family trees, health reports, names and postcodes were among the sensitive data hacked from the California-based company. It only confirmed the breach months after the infiltration started and once an employee saw the stolen data advertised for sale on the social media platform Reddit, according to the UK Information Commissioner’s Office – which levied the fine.

The information commissioner, John Edwards, called the months-long incident across the summer of 2023 a “profoundly damaging breach”. The compromise of UK data was just a fraction of the wider losses, with the data of 7 million people affected.

23andMe charges users £89 to have their DNA screened using a saliva-based kit, allowing them to discover where their distant ancestors came from in terms of their ethnicity and location. But many customers asked for their DNA data to be deleted from the company’s archives after the hack and it filed for bankruptcy protection in the US in March.

...

23andMe failed to take basic steps to protect the information and their security systems were inadequate, the UK data protection regulator found. The breaches included failing to install tougher user authentication.

...

A spokesperson for the company said 23andMe had since implemented multiple steps to increase security to protect individual accounts and information. They said that as part of the deal to acquire 23andMe, Wojcicki’s non-profit, the TTAM Research Institute, has made “binding commitments to enhance protections for customer data and privacy, including allowing individuals to delete their account and opt out of research at any time” and “agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control”, and offering customers two years of free identity theft monitoring.

The fine is among several multimillion pound punishments meted out by the ICO in recent years for failure to protect data from hacks and ransomware attacks. ...