23andMe handed huge fine days after rescue
Testing firm 23andMe has been fined more than £2m for failing to protect the sensitive personal and genetic data of more than 155,000 UK customers, in what regulators described as a “profoundly damaging” breach.
The UK’s Information Commissioner’s Officer (ICO) has fined the company £2.31m following a joint investigation with its Canadian counterpart, the Office of the Privacy Commissioner of Canada, in the wake of a large-scale cyber attack in 2023.
The breach exploited reused login credentials via a “credential stuffing” campaign, resulting in hackers accessing users’ names, ethnicity, genetic traits, health reports and family trees.
23andMe’s ‘delayed and inadequate’ response
The breach occurred between April and September 2023, during which hackers systematically accessed accounts using stolen login credentials from previous unrelated breaches.
Despite several warning signs – including a failed attempt to log into 1m accounts in a single day in July 2023 and activity involving profile transfers – the firm failed to launch a full investigation until October, when stolen data surfaced for sale on Reddit.
The ICO concluded that 23andme had violated UK protection law in three ways: by failing to require multi-factor authentication, lacking proper data control, and failing to detect and respond in a timely manner.
“23andMe failed to take basic steps to protect this information”, said UK information commissioner John Edwards.
“Once this information is out there, it cannot be changed or reissued like a password or credit card number”.
Canadian privacy commissioner Philippe Dufresne added that the breach underscored the need for stronger security in an era of increasing ransomware and data threats: “Organisations that hold sensitive data must act with vigilance – and speed”.
Bankruptcy, bid war and founder’s comeback
The ICO fine comes just days after 23andMe’s co-founder Anne Wojcicki won a bid to regain control of the company through a £305m bid via her nonprofit, TTAM Research Institute.
She outbid pharmaceutical giant Regeneron which had earlier agreed to acquire the firm for £256m in a bankruptcy auction.
Once valued at $6bn, 23andMe filed for Chapter 11 bankruptcy in March 2025 after a dramatic fall in demand and lasting damage from the breach.
Wojcicki’s return marks a last-ditch attempt to revive the company’s mission, now under nonprofit ownership.
“I am thrilled that TTAM will be able to continue the mission of 23andMe to help people access, understand and benefit from the human genome”, said Wojcicki on Friday.
TTAM’s acquisition, which includes the company’s Personal Genome Service, Research Services, and Lemonaid Health, is pending court approval.
An industry wake-up call
The breach and subsequent enforcement action come at a time of growing scrutiny around data protection in biotech.
Nick Portch, director at Equinix, said secure collaboration and data sharing is essential for innovation, but must be underpinned by trust and infrastructure.
“Given the sensitivity of the data in life sciences, companies are right to be cautious – but secure sharing is possible”, Portch argued. “Sharing data opens the door to more impactful medical treatments and faster outcomes”.
The penalty also lands amid a broader UK push to back research and innovation.
As part of last week’s Spending Review, Chancellor Rachel Reeves confirmed that public R&D funding will rise to £22.6bn by 2029, supporting industrial stratey areas including AI, drug discovery and biotech manufacturing.
The ICO said 23andme has since improved its systems sufficiently to close the investigation.
Yet, the regulator warned other firms that failure to act on early signs of intrusion will not be tolerated.
“Data protection doesn’t stop at borders”, Edwards added. “And neither do we”.