23andMe Fined £2.3 Million By Regulators Following Cyber Attack
The Information Commissioner’s Office, the independent supervisory authority for data protection in the UK, has fined 23andMe, a genetic testing service, £2.31 million following an investigation into a cyber attack that happened in 2023.
Between April and September 2023, an attacker carried out a credential stuffing attack, which exploited reused login credentials that were stolen from previous unrelated cyber attacks. Credential stuffing is when login details, usually stolen from another breach, are tried on different services, relying on users reusing the same passwords.
Over the five-month period this attack was carried out, the attacker managed to gain unauthorised access to personal data belonging to 155 thousand UK residents, including names, birth years, addresses, profile pictures, race, ethnicity, family trees and health reports. The types of personal data compromised varied account to account.
The investigation revealed that there were serious security failings at the time of the attack. 23andMe was found to have breached UK data protection law by failing to implement the necessary authentication and validation measures, such as secure username and password requirements, and multi-factor authentication.
It was also found that there was a lack of controls over the access to raw genetic data, and there were no systems in place to detect or respond to cyber attacks, which is possibly part of the reason why the attacker got away with this activity for so long.
To make matters worse, the response from 23andMe to the attack was also found to be inadequate. The attack started in April 2023 and intensified starting in May. In August, a claim of data theft impacting 10 million users was brushed off, even though internal investigations into unauthorised activity was investigated in July. It was only in October that an investigation was launched when data stolen from the platform was discovered as being for sale through Reddit. By the end of 2024, 23andMe had made the necessary security improvements, but much of the damage had already been done.
While the £2.3 million fine is severe and reflects how serious this incident was, it’s perhaps the other outcomes of this attack that caused far more damage to the organisation. In March 2025, 23andMe filed for bankruptcy. This followed a decline in demand for its services, a class action lawsuit that was settled for roughly £22 million and a sharp drop in stock price.
Click here to read the full penalty notice from the ICO.
What can we learn from this?
Despite the size of the business involved and the severity and magnitude of the incident, there are still some key takeaways from this that absolutely apply to smaller businesses:
Credential stuffing is a real threat: It’s easy to just focus on your internal systems when reviewing your security measures, but it’s just as important that other points of access (in this case, customer accounts) also have the necessary safeguards in place. Users having the same username and password for multiple services is an unavoidable risk, but having measures such as multi-factor authentication, or unique password requirements can help prevent unauthorised access.
Sensitive data requires stronger security: 23andMe handled highly sensitive data (race, ethnicity, family trees and health reports) yet didn’t have the required controls surrounding them. Preventing special categories of data from being accessible easily can help reduce the risk of unauthorised access.
Detecting attacks quickly is vital: The attacker was active for five-months before any real preventative action took place, even after early warning signs were visible. It shouldn’t take someone finding your data listed for sale on Reddit for you to take action.
Don’t dismiss early warnings: Claims of a breach were made as early as August, yet no action was taken until October. If there are credible indications of a breach, you must take them seriously and act fast. Early breach detection will help limit damage and in the event of an investigation, demonstrate accountability.
Be proactive, not reactive: While 23andMe made the necessary security fixes, the damage had already been done. Reactive improvements can’t reverse financial or reputational harm, but a proactive improvement in security will help prevent issues from happening in the first place.
Security failures can destroy a business: While the enforcement action from the ICO was significant, the real damage came from the collapse in user trust and legal costs, which eventually led to the company going bankrupt. Good security isn’t just a data protection compliance issue, its also a business survival issue.
Next Steps
Ensuring that you handle, process and store personal data in a way that’s in line with the law can be complex and time-consuming. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data protection compliance within your business.
Follow us on LinkedIn
