UK regulators have fined DNA testing company 23andMe more than £2.3 million following a cyberattack that exposed the sensitive genetic information of over 155,000 British customers — just months after the company was rescued from bankruptcy by its co-founder.
The penalty, imposed by the Information Commissioner’s Office (ICO), marks one of the most significant UK enforcement actions to date relating to genetic data. The breach occurred between April and September 2023, when attackers exploited reused passwords to gain unauthorised access to user accounts in a credential-stuffing campaign. The compromised data included individuals’ names, ethnic backgrounds, health reports, and family ancestry.
The ICO’s investigation, carried out jointly with Canada’s privacy commissioner, found that 23andMe had failed to take “basic security measures” to prevent the breach. These included the absence of multi-factor authentication, poor data management, and delays in responding to clear warning signs — including a single-day spike in attempted log-ins across one million accounts. Although the company became aware of unusual activity by summer 2023, it did not begin a full investigation until October, when customer data was found being offered for sale on Reddit.
John Edwards, the UK Information Commissioner, said the incident underscored the irreversible nature of genetic data loss. “Once this information is out there, it cannot be changed or reissued like a password or credit card number,” he said. Canadian commissioner Philippe Dufresne added that life sciences firms needed to operate with “diligence — and urgency.”
The regulatory action comes just weeks after 23andMe was bought out of bankruptcy by its co-founder, Anne Wojcicki. In March 2025, the company filed for Chapter 11 protection in the US after a sharp decline in customer demand and the reputational damage following the breach. Wojcicki reacquired the company for $305 million (£240 million) through her non-profit, TTAM Research Institute — outbidding pharmaceutical giant Regeneron. The acquisition, which includes 23andMe’s personal genome services and Lemonaid Health subsidiary, is pending final court approval.
Wojcicki has positioned the deal as a mission-led revival. “TTAM will carry on the mission of 23andMe to enable individuals to access, comprehend, and benefit from the human genome,” she said.
Yet the company faces mounting scrutiny. A coalition of 27 US states and Washington, D.C. have launched legal action against 23andMe over its handling of the breach. In parallel, lawmakers including Rep. Alexandria Ocasio-Cortez have demanded answers about consumer data rights and consent.
Industry observers say the case could have far-reaching implications for data governance across the biotech sector. “The trust cost is enormous,” said Nick Portch, director at digital infrastructure firm Equinix. “But secure data sharing is not impossible — it’s foundational to medical innovation. The lesson here is that privacy and progress must be designed together.”
The fine also arrives amid increased UK investment in research and innovation. The new Labour government has pledged to raise public R&D spending to £22.6 billion by 2029, with biotech and life sciences among the key focus areas. Regulators have signalled that compliance expectations will rise in step.
The ICO confirmed that 23andMe had since improved its security processes but warned that the case should act as a deterrent. “Data protection does not stop at borders,” Edwards said. “And neither do we.”
