The UK’s Information Commissioner’s Office just dropped a £2.31 million fine on 23andMe for a 2023 data breach that exposed genetic information from 155,592 UK residents. This isn’t your typical “oops, wrong email” mistake — we’re talking family trees, health reports, and ethnic backgrounds scattered across the dark web like something out of a cyberthriller. The breach, which stemmed from a credential stuffing attack, compromised data from 14,000 accounts and affected millions of people with linked DNA profiles, raising urgent questions about whether your DNA is at risk.
Security Failures That Cost Millions
The ICO’s investigation revealed that 23andMe operated as if it were still running Windows XP in 2023. There was no mandatory multi-factor authentication, weak monitoring systems that missed obvious red flags, and a delayed response when warning signs flashed for months, like a smoke detector with dying batteries.
Information Commissioner John Edwards didn’t mince words: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions,” said John Edwards, the UK’s Information Commissioner.
Your genetic data isn’t like a credit card number — you can’t just get a new one issued. Once that information hits the internet, it stays there forever, potentially affecting not just you but your relatives who never even used the service.
What Got Exposed (And What Didn’t)
The stolen data included names, birth years, locations, profile photos, race, ethnicity, health reports, and family connections. Thankfully, raw DNA data wasn’t compromised, but hackers still grabbed enough personal details to cause serious privacy headaches that would make even Mark Zuckerberg nervous.
The breach particularly targeted users with Ashkenazi Jewish heritage, adding a disturbing dimension to an already messy situation. Here’s what the attack timeline looked like:
- April 2023: Hackers began accessing accounts through credential stuffing.
- October 2023: 23andMe finally detected the breach after months of activity.
- December 2023: The Company began notifying affected users.
- 2024: 23andMe implemented proper security measures (better late than never).
- March 2025: The Company filed for bankruptcy.
For a comprehensive overview of the incident and what was exposed, see the 23andMe data leak.
“Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information,” said Philippe Dufresne, Canada’s Privacy Commissioner, who worked with UK regulators on this case.
The Bankruptcy Aftermath
23andMe went from a $6 billion valuation in 2021 to bankruptcy court in March 2025 faster than you can say “data breach settlement”. The privacy disaster wasn’t the only culprit — declining demand and general creepiness concerns had already hurt the business, but it certainly accelerated the company’s downward spiral.
Anne Wojcicki, 23andMe’s co-founder, is buying back the company through her nonprofit TTAM Research Institute for $305 million. She’s promising better data protection and giving customers the right to delete their genetic information entirely. Whether that’s enough to rebuild trust remains to be seen, but at least 15% of customers have already requested data deletion since the bankruptcy filing.
This case sets a serious precedent for companies handling genetic data. The ICO’s fine might seem modest compared to 23andMe’s former valuation, but it sends a clear message: treat genetic information like the special category data it is, or face the consequences. Your DNA deserves better security than your Netflix password.
