On 17 June 2025, the ICO announced that it issued a monetary penalty of£2.31 million against genetics and research company23andMe, following a joint investigation with theOffice of the Privacy Commissioner of Canada. The ICO's investigation began following a series of large-scale credential-stuffing attacks in 2023, which resulted in unauthorised access to around 14,601 23andMe user accounts, exposing thepersonal data of around 10 million individuals (155,592 of whom were UK residents).
Background
A hacker carried out a series of credential stuffing attacks, using login credentials harvested from previous breaches. The attackers were able to exploit weaknesses in 23andMe's security infrastructure to gain access to customer accounts and download files via 23andMe's 'DNA Relatives' feature. This led to the exposure of account holders' information and linked individuals via family trees. The personal data accessed included names, locations, dates of birth, photos, ethnicity information, and genetic health predispositions. The ICO foundno evidence of raw DNA files being downloaded, though these were accessed by the hacker (so hopefully 23andMe customers won't be cloned on the dark web!).
The ICO observed that 23andMe receivedmultiple warnings of a potential attack between July and September 2023, including a login 'spike' in July 2023 (where an unusual number of successful logins occurred), as well as direct contact from third parties regarding personal data being sold online. However, these were dismissed as isolated incidents (including messages that had alleged that customer personal data was being sold on the dark web).
It was only inOctober 2023, following a post on Reddit which explicitly offered 23andMe data for sale, that 23andMe launched a full internal investigation. The ICO considered this to be a serious failing in breach response procedures, given the sensitivity of the data and the foreseeable risk posed by weak authentication practices.
The ICO's findings
Security measures
The ICO found that 23andMe had failed to implement:
- Appropriate authentication and verification measures as part of its customer login process (including failure to implement mandatory multi-factor authentication and secure password requirements);
- Appropriate security measures (specifically relating to the download of raw DNA data);
- Measures to detect and appropriately respond to threats to its customers' personal data; and
- An appropriate process for testing and assessing technical and organisational measures.
The ICO was clear that these measures fell short of what was expected, particularly taking into account that 23andMe processed (and continues to process) particularly sensitive personal data at a large scale. While 23andMe clearly had insufficient security measures in place, the notice reinforces the position that where data is inherently sensitive (and where system design increases exposure, as with linked family profiles), the bar for 'appropriate' technical and organisational measures is correspondingly high.
23andMe did implement multi-factor authentication and account deletion options after the breach, but these measures were too late to mitigate the ICO's findings.
Inadequate breach management
The notice goes into detail on 23andMe'sdelayed and inadequate breach response. As noted above, 23andMe received several warning signs about the potential exposure of customer data, and these were treated as isolated incidents.
The inadequate management of the incident meant that 23andMe failed to notify the ICO within the statutory time limit without undue delay (or within 72 hours) and failed to keep appropriate records relating to the breach. The notice provided details of 23andMe's breach response and noted that it had failed to provide sufficient detail to the ICO, necessitating 'multiple follow-up questions and requests for clarification'.
In relation to this aspect of the breach, the penalty was also influenced by alack of effective organisational controls, despite the known risk of credential stuffing and the delay in responding to warning signs, suggesting broader cultural and governance weaknesses.The ICO's findings echo past enforcement against British Airways and Marriott, where delayed breach recognition were key aggravating factors.
While some may have questioned the point of issuing a monetary penalty against a company that has filed for bankruptcy,23andMe was recently acquired by its founder under a nonprofit structure with binding privacy commitments, meaning that the enforcement may still carry weight.
What should you do now?
For controllers processing high-risk data, it is clear thatbasic security controls such as multi-factor authentication and breach detection systems are expected, particularly where data is of a kind that individuals cannot replace or revoke. The ICO quoted its own guidance on data security throughout the notice, so would expect that controllers have considered this guidance and the various security measures that it suggests.
It is also clear that controllers must be sensitive and investigate appropriately any possible data security breach, particularly where there are warning signs from multiple sources. It is especially important to be set up correctly and be prepared to respond to such incidents, by having a clear data breach response process and investigation team prepared to respond.
The ICO also recommends that data subjects "use strong, unique passwords for each account; enable multi-factor authentication wherever possible; and remain vigilant against phishing emails or messages that reference personal or genetic information".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
