HS

UK ICO Fines 23andMe £2.31 Million for Data Protection Breach

June 29, 2025
UK ICO Fines 23andMe £2.31 Million for Data Protection Breach

The UK Information Commissioner’s Office (ICO) has imposed a fine of £2.31 million on genetic testing company 23andMe for failing to protect the sensitive personal data of over 155,000 users in the UK. This enforcement action, announced on June 25, 2025, underscores the critical importance of robust data protection measures, especially within the health and biotechnology sectors. The fine follows a large-scale cyberattack that occurred between April and September 2023, where hackers employed a technique known as credential stuffing to exploit reused login credentials. This attack led to unauthorized access to a wealth of sensitive information, including names, birth years, locations, and health reports.

According to David McIlwaine, a cybersecurity expert and Partner at Pinsent Masons, 'The monetary penalty notice and fine levied by the ICO illustrates that 23andMe's IT security posture was insufficient at the time of the attack.' He emphasized that companies handling sensitive personal data must implement adequate cybersecurity measures to avoid severe consequences. The ICO's investigation revealed that 23andMe failed to establish basic security protocols, such as requiring strong, unique passwords and multi-factor authentication.

The breach is particularly concerning due to the nature of the compromised data, which includes genetic and familial information. This type of data is not only deeply personal but also immutable, raising the stakes for users' privacy. The ICO criticized 23andMe for a slow response to the breach and inadequate security systems, stating that the company had ignored clear warning signs of vulnerability.

The regulatory body highlighted that the breach violated the UK General Data Protection Regulations (GDPR), which mandates data controllers to implement appropriate security measures proportional to the risks involved. The ICO's decision to impose a fine, despite 23andMe's current financial difficulties—including a reported deficit of $2.4 billion—reflects a commitment to holding companies accountable for data protection failures.

In a broader context, this incident serves as a reminder to companies handling critical consumer data about the imperative of adhering to data protection regulations. The ICO's action, which follows a joint investigation with the Office of the Privacy Commissioners of Canada, signals increasing international scrutiny of data security practices.

Experts have noted that this case is not an isolated incident but part of a growing trend of regulatory actions against companies that fail to protect user data adequately. The ICO's fine against 23andMe, a company that has already faced legal challenges including a $30 million class action settlement related to the same breach, may set a precedent for future enforcement actions.

In light of these developments, it is crucial for organizations in the health and biotech sectors to reassess their data protection measures and ensure compliance with legal requirements. The ICO's decision underscores the importance of proactive cybersecurity strategies in safeguarding sensitive personal information against the backdrop of evolving digital threats.

Advertisement

Fake Ad Placeholder (Ad slot: YYYYYYYYYY)

Tags

ICO23andMedata protectioncyber securityGDPRUK Information Commissioner's Officegenetic testingcredential stuffingdata breachhealthcare databiotechnologycyberattackprivacy lawsdata security measurespersonal datahealth sector regulationscybersecurity expertDavid McIlwainePinsent Masonsfinancial penaltiesdata governanceuser privacysensitive informationinternational data regulationscyber threatsdata controllerslegal compliancedata privacyconsumer protectionsecurity protocols

Advertisement

Fake Ad Placeholder (Ad slot: ZZZZZZZZZZ)

Related News