UK Fines 23andMe £2.3M for 2023 Data Breach Exposing 150,000 Users

The genetic testing company 23andMe was fined £2.31 million by the UK's Information Commissioner's Office (ICO) following a 2023 cyberattack that exposed sensitive personal data of more than 150,000 UK residents and affected about 7 million people worldwide. The breach, caused by a credential stuffing attack exploiting reused passwords, allowed hackers to access names, birth years, locations, family trees, health reports, and genetic information without additional verification safeguards. Despite early signs of the attack starting in April 2023 and online claims of stolen data, 23andMe delayed confirming the breach until October, when stolen data was found for sale on Reddit. The ICO criticized 23andMe for failing to implement basic security measures, including stronger user authentication and protections for accessing raw genetic data, which are required for the special category of genetic information under UK law. Following the breach and loss of customer trust, 23andMe filed for bankruptcy in the US and is set to be sold to TTAM Research Institute, which has committed to improving data security and privacy protections. The incident highlights the profound risks and irreversibility associated with genetic data breaches, as emphasized by UK Information Commissioner John Edwards.