Author: SteelEye
05 June 2025
Fine Amount: £2,310,000
Date: 5 June 2025
Primary Violations: GDPR Breaches
The UK’s Information Commissioner’s Office (ICO) has issued a penalty notice of £2,310,000 to the consumer genetics company 23andMe, Inc. The fine follows a joint investigation with the Office of the Privacy Commissioner of Canada (OPC) into a major data breach that came to light in October 2023.
The investigation found that, between May 2018 and December 2024, 23andMe failed to implement appropriate technical and organisational measures to protect its customer data. This failure allowed a threat actor to conduct a "credential stuffing" attack over at least five months, gaining access to the accounts of 155,592 UK-based customers.
The compromised data included highly sensitive special category data, such as genetic and health information, as well as data from which racial or ethnic origin could be inferred. The ICO found that 23andMe's security failings were serious and negligent, highlighting the absence of mandatory multi-factor authentication (MFA), inadequate password policies, and a failure to detect and respond to multiple clear indicators of a cyberattack.
The fine was significantly reduced from an initial proposal of £4.59 million after the ICO considered the company's deteriorating financial position, including its filing for Chapter 11 bankruptcy in the US.
The ICO’s investigation determined that the data breach was a result of a credential stuffing attack, a method where attackers use username and password combinations stolen from other websites to gain access to accounts. The attacker's activity on the 23andMe platform began as early as April 29, 2023.
By compromising an initial set of accounts, the threat actor exploited 23andMe's "DNA Relatives" feature. This feature allows users to see and connect with their genetic relatives on the platform, and by default, it shares profile information. This mechanism magnified the breach's impact significantly. While only 611 UK customer accounts were directly breached through credential stuffing, the attacker was able to scrape the data of thousands more connected via the DNA Relatives feature.
In total, 155,592 UK customers were affected. The exfiltrated data included:
The attacker posted this data for sale on online forums, specifically targeting customers based on their racial and ethnic backgrounds.
The Commissioner found that 23andMe committed serious infringements of UK GDPR Articles 5(1)(f) and 32(1) over a period from 25 May 2018 to 31 December 2024. The key failures included:
The ICO concluded that the final penalty of £2,310,000 was effective, proportionate, and dissuasive, reflecting the seriousness of the failings while accounting for the company's current financial hardship
Nothing compares to seeing it for yourself. Schedule a demo now to discover how SteelEye transforms compliance. Provide your details below and we'll be in touch.
Stay ahead of compliance updates, market trends, and exclusive SteelEye news.
About
LOCATIONS
United Kingdom - 5th Floor, 55 Strand, London, WC2N 5LR
United States - 600 Fifth Avenue, New York, NY 10020
Singapore - 600 North Bridge Road #23-01 Parkview Square Singapore 188778
Portugal - Av. da Liberdade 747 1ºD, 4710-251 Braga
India - No. 613, 12th Main, HAL 2nd Stage, Bangalore - 560008
STEELEYE LIMITED, A COMPANY REGISTERED IN ENGLAND AND WALES WITH COMPANY NUMBER: 10581067, VAT NUMBER: 260818307 AND REGISTERED ADDRESS AT 55 STRAND, LONDON, WC2N 5LR.