Skip to content
City PM
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
Tuesday 17 June 2025 2:45 pm  |  Updated:  Tuesday 17 June 2025 10:23 am

23andMe handed huge fine days after rescue

By: Saskia Koopman

Tech Reporter

Add as a preferred source on Google
23andMe has been fined more than £2m. (Photo by Justin Sullivan/Getty Images)
23andMe has been fined more than £2m. (Photo by Justin Sullivan/Getty Images)

Testing firm 23andMe has been fined more than £2m for failing to protect the sensitive personal and genetic data of more than 155,000 UK customers, in what regulators described as a “profoundly damaging” breach.

The UK’s Information Commissioner’s Officer (ICO) has fined the company £2.31m following a joint investigation with its Canadian counterpart, the Office of the Privacy Commissioner of Canada, in the wake of a large-scale cyber attack in 2023.

The breach exploited reused login credentials via a “credential stuffing” campaign, resulting in hackers accessing users’ names, ethnicity, genetic traits, health reports and family trees.

23andMe’s ‘delayed and inadequate’ response

The breach occurred between April and September 2023, during which hackers systematically accessed accounts using stolen login credentials from previous unrelated breaches.

Despite several warning signs – including a failed attempt to log into 1m accounts in a single day in July 2023 and activity involving profile transfers – the firm failed to launch a full investigation until October, when stolen data surfaced for sale on Reddit.

The ICO concluded that 23andme had violated UK protection law in three ways: by failing to require multi-factor authentication, lacking proper data control, and failing to detect and respond in a timely manner.

“23andMe failed to take basic steps to protect this information”, said UK information commissioner John Edwards.

“Once this information is out there, it cannot be changed or reissued like a password or credit card number”.

Canadian privacy commissioner Philippe Dufresne added that the breach underscored the need for stronger security in an era of increasing ransomware and data threats: “Organisations that hold sensitive data must act with vigilance – and speed”.

Bankruptcy, bid war and founder’s comeback

The ICO fine comes just days after 23andMe’s co-founder Anne Wojcicki won a bid to regain control of the company through a £305m bid via her nonprofit, TTAM Research Institute.

She outbid pharmaceutical giant Regeneron which had earlier agreed to acquire the firm for £256m in a bankruptcy auction.

Once valued at $6bn, 23andMe filed for Chapter 11 bankruptcy in March 2025 after a dramatic fall in demand and lasting damage from the breach.

Read more

F*** f*** f***: Tennis star Moutet fined £4k per F-bomb for Queen’s Club outburst on BBC

News article image with diverse professionals in a corporate meeting discussing business strategy and innovation trends.

Wojcicki’s return marks a last-ditch attempt to revive the company’s mission, now under nonprofit ownership.

“I am thrilled that TTAM will be able to continue the mission of 23andMe to help people access, understand and benefit from the human genome”, said Wojcicki on Friday.

TTAM’s acquisition, which includes the company’s Personal Genome Service, Research Services, and Lemonaid Health, is pending court approval.

An industry wake-up call

The breach and subsequent enforcement action come at a time of growing scrutiny around data protection in biotech.

Nick Portch, director at Equinix, said secure collaboration and data sharing is essential for innovation, but must be underpinned by trust and infrastructure.

“Given the sensitivity of the data in life sciences, companies are right to be cautious – but secure sharing is possible”, Portch argued. “Sharing data opens the door to more impactful medical treatments and faster outcomes”.

The penalty also lands amid a broader UK push to back research and innovation.

As part of last week’s Spending Review, Chancellor Rachel Reeves confirmed that public R&D funding will rise to £22.6bn by 2029, supporting industrial stratey areas including AI, drug discovery and biotech manufacturing.

The ICO said 23andme has since improved its systems sufficiently to close the investigation.

Yet, the regulator warned other firms that failure to act on early signs of intrusion will not be tolerated.

“Data protection doesn’t stop at borders”, Edwards added. “And neither do we”.

Read more

Ticket reseller StubHub UK fined nearly £1m for hiding fees

Aerial view of Glastonbury Festival showcasing vibrant crowds, colorful tents, and iconic Pyramid Stage under clear skies

Share this article

  • Facebook
  • X
  • LinkedIn
  • WhatsApp
  • Email

Similarly tagged content:

Sections

  • News

Categories

  • Tech
  • Business

People & Organisations

  • 23andme
  • cyber attack
  • cyber attacks
  • data breach
  • health
  • ICO
  • Information Commissioner's Office

Trending Articles

  • Brewdog chief executive quits after only one year

  • Housebuilding giants hit with £4.5bn lawsuit for allegedly overcharging buyers

  • Burnham tax plans spark investor rush to bank capital gains

  • UK ‘no longer a serious place’ says Hedge fund boss after losing £200m tax battle

  • As it happened: Stocks jump on defence and metals boost; Oil on track to shed a fifth on US-Iran peace hopes

More from City PM

  • F*** f*** f***: Tennis star Moutet fined £4k per F-bomb for Queen’s Club outburst on BBC

    Sport Business
    News article image with diverse professionals in a corporate meeting discussing business strategy and innovation trends.
  • Ticket reseller StubHub UK fined nearly £1m for hiding fees

    Retail
    Aerial view of Glastonbury Festival showcasing vibrant crowds, colorful tents, and iconic Pyramid Stage under clear skies
  • Everton ‘surprised and angered’ at losing £40m legal case with Burnley

    Sport Business
    GettyImages 2272351712 showing a business meeting with diverse professionals discussing strategies around a conference table
  • Manchester City and Chelsea boosted by lawyer’s compensation claims verdict

    Sport Business
    Business professional speaking at a conference podium with a projected presentation slide in the background.
  • The Debate: Should CEOs be held personally accountable for cyberattacks?

    Opinion
    Evil-looking keyboard symbolizing cybersecurity threats and hacking risks in a digital landscape.
  • Ditched by clients and Australian government: What is happening down under at KPMG?

    Big Four
    KPMG Australia office building exterior with modern glass architecture and corporate signage in a bustling business district.
  • Has Fifa quietly made mandatory release clauses the future of football transfers?

    Sport Business
    Getty Images logo on a digital screen, representing media and stock photography in a business and news context.
  • FCA seeks injunction against Neil Woodford over ‘unauthorised’ investment advice

    Investing
    Neil Woodford and Woodford Investment Management have been handed a £46m fine by the FCA

City PM — European politics, business and analysis.

Europe

  • Germany
  • France
  • Europe
  • UK & Ireland

Topics

  • Business
  • Markets
  • AI
  • Technology
  • Opinion
  • Energy

More

  • Politics
  • Economics
  • Fintech
  • Legal
  • Sport
  • Life

Company

  • About City PM
  • Editorial Policy
  • Corrections
  • Contact
  • Terms of Use
  • Privacy Policy
  • Cookie Policy
© 2026 City PM · Published by CityPM Media, Bahnhofstrasse 65, 8001 Zürich, Switzerland
About · Editorial Policy · Corrections · Contact · Privacy