June 26, 2025
Compliance
Data Protection Law

On 17 June 2025, the UK Information Commissioner’s Office (ICO) imposed a fine of £2.31 million on genetic testing company 23andMe for multiple infringements of the UK GDPR. The fine followed an extensive investigation into a large-scale data breach that exposed the personal data of hundreds of thousands of UK customers. The ICO concluded that 23andMe failed to implement appropriate technical and organisational measures to protect customers’ sensitive personal data, particularly genetic data, resulting in unlawful access by a third party. 

Background 

23andMe is a US-based biotechnology company that provides genetic testing services directly to consumers through home saliva collection kits. Customers receive insights into their ancestry, heritage and potential health predispositions. In doing so, 23andMe collects and stores highly sensitive personal data, including genetic data, which is classified under UK GDPR as special category personal data requiring enhanced protection. 

The data breach

In 2023, a hacker carried out a credential-stuffing attack to gain unauthorised access to personal data relating to more than 155,000 of UK customers. Credential stuffing involves using previously compromised username and password combinations from unrelated breaches to gain access to accounts on other platforms. 

Once access was obtained, the hacker offered the stolen data, some of which constituted special category personal data such as genetic or health information, for sale on online forums. The breach exposed vast amounts of sensitive data with little recourse for affected individuals. 

image of blood samples

Under UK GDPR, data controllers must ensure that personal data is processed securely. Two key provisions, amongst others, were found to have been breached: 

Article 5(1)(f) – requires personal data to be processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Article 32(1) – requires data controllers and processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

In reaching its decision, the ICO also referenced its own guidance, including: 

ICO FINDINGS

Inadequate security measures

Despite processing high-risk personal data, 23andMe failed to implement appropriate technical and organisational measures. The ICO concluded that the company’s existing security measures did not meet the standards required under UK GDPR, especially given the nature and volume of data involved. 

Some of 23andMe’s security measures ICO focused on included: 

a. Username and login practices: 23andMe required users to log in using email addresses, rather than offering the option of unpredictable usernames which would be considered an appropriate technical measure in accordance with Article 5(1)(f) and Article 32(1)(b) UK GDPR. While not a specific requirement under UK GDPR, the ICO viewed this as a missed opportunity to strengthen account security. The use of predictable login credentials contributed to the success of the credential-stuffing attack.

b. Password management failures: 23andMe failed to enforce strong password policies. At the time of the data breach: 

  • the minimum password length was only 8 characters
  • there were no complexity requirements (like special characters) 
  • users could reuse old passwords until August 2023
  • no password ‘deny list’ was in place to prevent use of common or weak passwords

These practices fell short of the ICO’s guidance on passwords in online services which recommends steps such as minimum password length, enforcing password strength and using deny lists. 

c. Failure to mandate multi-factor authentication (MFA): Despite the availability of MFA within the 23andMe platform, 23andMe failed to make it mandatory. At the time of the breach: 

  • only 0.2% of customers used MFA (which was optional)
  • a further 21.5% used SSO via Apple or Google (which required MFA) 
  • none of the accounts with MFA or SSO enabled were compromised

23andMe stated it avoided mandating MFA due to concerns that some customers, typically older users, may lack basic digital skills. This was viewed by an ICO as an inadequate explanation to why MFA was not introduced as a mandatory part of 23andMe login process. Mandatory MFA is widely recognised (including by the National Cyber Security Centre’s (NCSC)) as one of the most effective ways of protecting customer accounts. 

d. Lack of supplementary measures: the ICO also pointed out that, in the absence of mandatory MFA, 23andMe could have implemented other measures to mitigate risks but 23andMe failed to do so. 

Such measures could have included device, browser or connection fingerprinting or account access history for users.

The ICO held that such controls, while not specifically required under the UK GDPR, would have constituted appropriate technical measures which would have ensured, combined with other measures, an appropriate level of protection of the personal data.

e. Insufficient protection of genetic data: Customers were able to download their raw genetic data immediately after logging in, without any additional verification. This presented a significant risk as genetic data is inherently sensitive and requires enhanced protection. 

While 23andMe later introduced a date of birth check, the ICO noted that such information is often easily available to hackers and therefore not sufficient as an authentication step. Furthermore, internal logging did not capture IP addresses used to download genetic data, leaving 23andMe unable to determine how many genetic data files had been accessed by the hacker. 

f. Failure to prepare for known threats: The ICO found that 23andMe failed to adequately assess and test its systems against the known and increasing threat of credential stuffing attacks. The company also failed to prepare internal reports evaluating the effectiveness of its technical and organisational security measures, contrary to the ICO’s guide to data security. 

The risk to 23andMe was not hypothetical. The company had previously identified isolated credential stuffing incidents on its platform in 2019 and 2020. Despite this, it did not simulate or prepare for such attacks. Only after October 2023 (after the cyber-attack) did 23andMe begin using testing accounts to simulate credential stuffing, update its alerting systems and conduct cybersecurity exercises. 

The ICO also noted that 23andMe response to the cyber-attack was delayed and inadequate despite early warning signs. Although suspicious activity began in April 2023 followed by intense credential stuffing activity in May and then again in September 2023, 23andMe only started a full investigation in October 2023, when its employee spotted the stolen data on Reddit. 

Presence of aggravating factors

In assessing the severity of the potential breach of the UK GDPR, the ICO tends to look at the presence of any aggravating factors that warrant any organisation getting a more significant fine. 

The ICO held that there were aggravating factors. The key factors included: 

  • inadequate reporting to the ICO
  • the sensitivity of the personal data involved
  • the number of individuals affected
  • the extended period of non-compliance
  • the significant damage and distress caused 
  • delays in identifying the breach
image of a database

Conclusion

This enforcement action underscores the importance of proactive, risk-based security practices, particularly when handling sensitive or special category personal data, such as genetic data. 

The ICO found that 23andMe failed to meet basic expectations under the UK GDPR, despite being aware of the risks and having experienced similar issues in the past. Given that 23andMe was collecting the genetic data of its customers, it was obvious that stringent measures needed to be put in place to protect personal data. 

The ICO’s investigation highlights how a failure to align with regulatory expectations and established cybersecurity best practices, such as those outlined in the UK GDPR, NCSC guidance and the ICO’s recommendations, can have serious consequences not only for organisations but also for the individuals whose data they hold. This case serves as a clear warning to all data controllers about the cost of non-compliance.

However, whilst this ICO fine is significant, it is to be noted that the ICO will also examine cyber-attacks committed against much smaller organisations that process much less important types of personal data. If any organisation, no matter the size, leaves itself obviously open to cyber-attacks it can expect to be exposed to the ICO and the fining regime under the UK GDPR. 

This enforcement action also serves as a reminder that non-UK based organisations can be exposed to the UK GDPR (and the EU GDPR) and European regulators where such foreign entities have UK or EU customers. 

If your organisation handles personal data and you need support with reviewing your data protection policies, documents or procedures, please contact our data protection specialists Neil Williamson or Colin Lambertus

Further Reading