The UK's Information Commissioner's Office (ICO) has imposed a £2.31 million ($3.1M) fine on 23andMe for its failure to secure the sensitive genetic and personal data of over 150,000 UK residents during a major credential-stuffing attack that unfolded across several months in 2023.
The fine follows a joint investigation conducted with the Office of the Privacy Commissioner of Canada, marking a significant international enforcement action targeting the California-based consumer genomics firm. According to the ICO, 23andMe failed to implement basic cybersecurity measures, leaving its UK customers exposed to lasting privacy harm.
Between April and September 2023, a threat actor launched a credential-stuffing campaign against 23andMe's platform, systematically exploiting reused usernames and passwords obtained from unrelated third-party breaches. Once inside user accounts, the attacker was able to access a wide range of sensitive data, including full names, birth years, location data, photographs, ethnic background, family relationships, and health-related reports.
What worsened the breach's impact was the optional yet widely enabled “DNA Relatives” feature, which interlinked users' genetic profiles with those of their DNA-matched relatives. This significantly magnified the scope of the exposure. While the number of directly compromised accounts was estimated at around 14,000, cascading access through DNA connections affected as many as 6.9 million users globally, including over 155,000 in the UK.
Founded in 2006, 23andMe rose to prominence as a pioneer in direct-to-consumer genetic testing, offering ancestry analysis, health predisposition insights, and genealogical matching. However, the October 2023 breach triggered a wave of legal and regulatory fallout, culminating in a Chapter 11 bankruptcy filing in March 2025.
In its findings, the ICO outlined several serious failings in 23andMe's security practices:
- Lack of multi-factor authentication (MFA) or other strong authentication measures.
- Weak monitoring and response mechanisms to detect and contain unusual activity.
- No safeguards around raw genetic data access and downloads.
- A delayed and insufficient response, with months passing before a full investigation began, even after internal anomalies and public claims of stolen data surfaced.
The attacker was observed testing credential access at scale as early as May 2023. In one instance, a million automated login attempts were made in a single day from a free test account, overwhelming 23andMe's systems and temporarily disabling platform access. Despite these red flags, the company did not recognize the incident as a coordinated breach until October 2023, when data began surfacing for sale on Reddit and dark web forums.
John Edwards, the UK's Information Commissioner, condemned the firm's approach: “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
The penalty lands at a critical moment in the company's turbulent trajectory. 23andMe is now a subsidiary of Regeneron, which acquired its genomic assets, including genetic data from over 15 million users, for $256 million. While Regeneron has pledged to uphold existing privacy commitments, data governance and re-identification risks remain key concerns, particularly as genetic data is inherently immutable and uniquely identifiable.
Leave a Reply