23andMe Fined £2.3M for Major Data Breach

The UK Information Commissioner's Office (ICO) fined 23andMe £2.31 million after a 2023 data breach exposed the genetic and personal data of over 150,000 UK residents and millions globally. The breach, which lasted from April to September 2023, involved hackers using credential stuffing attacks to access and scrape health, family, ethnicity, and genetic data, with some of the information later posted online. Investigations by both the ICO and Canada’s privacy commissioner found that 23andMe lacked adequate authentication, including multi-factor authentication, and failed to respond promptly, only acting after data surfaced for sale on Reddit. The breach led to significant fallout, including the company's US bankruptcy filing and impending sale to new ownership committed to improving data protection. Regulators highlighted that genetic data is protected under special UK legal categories and stressed the irreversible harm from such leaks. Privacy advocates noted that, unlike passwords or credit cards, genetic data cannot be changed if compromised.