UK data privacy regulator fines 23andMe over cyber practices in wake of hack

Editor's Note: This article was updated at 10:30 a.m. EST with comments from a 23andMe spokesperson.

The United Kingdom’s top data privacy regulator on Tuesday fined the embattled personal genomics company 23andMe more than $3 million over allegedly poor cybersecurity practices and a slow response to a devastating 2023 data breach.

The breach, which revealed the genetic data of millions of the firm’s customers, spanned several months during which 23andMe failed to act, the Information Commissioner’s Office said in a press release announcing the £2.31 million fine ($3.14 million).

The news comes on the heels of Friday’s announcement that the TTAM Research Institute — a nonprofit recently founded by 23andMe’s former CEO, Anne Wojcicki — won a bankruptcy auction to take control of the company.

READ MORE: Nonprofit led by 23andMe’s former CEO wins bid to acquire the company

The ICO noted that 23andMe failed to require additional verification measures for users to “access and download their raw genetic data.” The regulator conducted its investigation with the Office of the Privacy Commissioner of Canada.

The genetic testing firm broke several U.K. laws, the ICO said, including by failing to require multifactor authentication (MFA), secure passwords and hard to predict usernames. 23andMe also did not have systems in place to monitor, detect and respond to cyber threats, they said.

A 23andMe spokesperson, who did not directly address the regulator’s fine, said that “by the end of 2024, 23andMe had implemented multiple steps to increase security to protect individual accounts and information.”

The so-called credential stuffing attack began in April 2023, and a few months later the hacker logged into a free account more than a million times throughout the course of one day, the ICO said, as part of an attempt at “profile transfers.” 

The extreme number of logins caused the company’s platform to shut down, the ICO said. Later that month, the hacker again tried to trigger profile transfers in 400 separate accounts, they said. 

23andMe probed the incident at that point but did not realize it was part of a much bigger and long-running hack, the regulator claimed. The following month, the genomics company dismissed claims of data thefts impacting more than 10 million users as untrue. 

By September, the hacker intensified the credential stuffing scheme, the regulator said, but 23andMe did not launch a full investigation until October 2023, when one of its employees became aware that stolen company data was being peddled on Reddit.

At that point, six months after the attack started, 23andMe confirmed the breach.

It took until the end of 2024 for the company’s security improvements to become “sufficient,” the ICO alleged. The hacker obtained personal data belonging to nearly 156,000 U.K. residents, and in some cases family trees and health conditions were exposed, the regulator said.

“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number,” U.K. Information Commissioner John Edwards said in a statement.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”

According to the 23andMe spokesperson, as part of TTAM’s agreement to buy the company, it has made “several binding commitments to enhance protections for customer data and privacy, including allowing individuals to delete their account and opt out of research at any time [and] notifying customers via email at least 2 days prior to the closing of the acquisition about details on TTAM’s role.”