23andMe Faces⁣ £2.31M Fine Over⁤ Data Breach Impacting UK Residents

⁣ Updated june 17, 2025
⁢ ​ ⁣

The U.K.’s Information Commissioner’s Office (ICO) has levied a £2.31 million ($3.1​ million) fine ⁢against 23andMe, ⁤the genetic ⁤testing company, for failing to adequately protect the personal ‍adn genetic information of​ U.K. residents. The fine stems⁣ from a significant data ‍breach ​in 2023.

The ICO stated ‍the⁢ company did not implement sufficient verification measures for users accessing ‍and downloading their‌ raw genetic data⁤ at ‌the time of the cyberattack. This lack of security ‌played a key role in⁢ the⁢ breach.

The 2023 cyberattack compromised ⁣the private data of more than 6.9 million users through a months-long campaign that exploited stolen credentials. The ICO emphasized that 23andMe’s failure to require multi-factor authentication violated U.K. data⁣ protection law, increasing the company’s role in the data breach.

The breach resulted ⁣in the theft of data belonging to over 155,000 U.K. ‍residents, ‍according to the ICO.

23andMe has as implemented‌ mandatory multi-factor authentication for all accounts.

The⁢ ICO‌ is currently in communication with 23andMe’s trustee following the company’s recent bankruptcy ⁣protection‌ filing. A hearing regarding‍ the potential sale of 23andMe⁤ is scheduled for later‌ today.

What’s next

The ICO will continue to monitor 23andMe’s ⁢compliance with data protection laws, particularly regarding the security of user data ​and the implementation of robust authentication measures. ⁤The⁢ outcome of the sale ⁢hearing ⁢could also impact the future of ‌data protection for 23andMe users.