The UK’s data protection regulator has fined genetic testing firm 23andMe £2.31 million following a large-scale data breach in 2023 that exposed the personal and sensitive health information of thousands of users, including over 155,000 UK residents.
The Information Commissioner’s Office (ICO) said on Monday that 23andMe had failed to implement basic security measures, leaving sensitive user information—including health reports, racial and ethnic identity, profile images, and family histories—vulnerable to cyberattack.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions,” said Information Commissioner John Edwards. “Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
The breach originated in October 2023, when hackers launched what’s known as a “credential stuffing” attack. Using usernames and passwords obtained from previous unrelated data leaks, attackers were able to access 14,000 individual 23andMe accounts. Crucially, because 23andMe links users to their genetic relatives, this gave attackers the ability to extract data on an estimated 6.9 million people connected through the platform.
Although DNA data was not compromised, the stolen information included special category data under UK law—such as ethnicity, health information and familial relationships—which requires stricter protection under GDPR due to its highly sensitive nature.
Support authors and subscribe to content
This is premium stuff. Subscribe to read the entire article.
