ICO penalty notice against 23andMe focuses on new areas of cyber security

On 5 June 2025, the UK Information Commissioner’s Office issued a significant monetary penalty notice against 23andMe, Inc., imposing a fine of £2.3 million for serious violations of the UK General Data Protection Regulation. This enforcement action, which followed a joint investigation with the Office of the Privacy Commissioner of Canada, was prompted by a significant data breach that compromised the personal and special category data of 150,000 UK data subjects.

Nature and scope of the data breach

23andMe is a global provider of genetic testing services. It provides services to consumers where they can map their DNA and then match their genetic data to others so track their ancestry and identify their family tree.

The compromise of 23andMe’s systems happened in 2023 and was caused by a credential stuffing attack, in which attackers used usernames and passwords, previously compromised in unrelated data breaches, to attempt logins on 23andMe’s platform. Around 300,000 login attempts were made, resulting in the compromise of 611 customer accounts. Due to the interconnected nature of 23andMe’s genetic matching services (such as ancestry searches and family trees), access to a single account revealed information about multiple individuals. As a result, the attacker was able to download from those accounts data relating to approximately 150,000 UK individuals.

Two UK individuals had their raw genetic data exfiltrated using a function built into the customer accounts that allowed the customer to download their own data. Even where raw genetic data was not stolen, the ICO found that the confidentiality and integrity of the raw genetic data associated with the 611 breached accounts was compromised.

Beyond the raw genetic data, the wider stolen dataset (such as ancestry reports and family trees) included, or impliedly revealed, sensitive characteristics such as race, ethnicity, and health status of approximately 150,000 people. This data constituted special category data under Article 9 of the UK GDPR. 

Regulatory findings

The ICO found that 23andMe had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in breach of Articles 5(1)(f), 32(1)(b), and 32(1)(d) of the UK GDPR. The company’s security posture was found to be inadequate, particularly given the high sensitivity of the data it processed.

The investigation revealed that 23andMe’s password policies were weak, with insufficient requirements for complexity or length, and no checks were undertaken against known compromised password lists. Customers were not provided with adequate guidance on creating strong passwords at the point of account creation. The use of email addresses as usernames was also criticised, as it increased the risk of successful credential stuffing attacks. Multi-factor authentication (MFA) was offered by 23andMe but not mandated, a decision the ICO found unacceptable given the high-risk nature of the data involved. Despite 23andMe’s claim that mandatory MFA would be difficult for users, particularly those who are older and vulnerable and lacking in basic digital skills, the ICO effectively said that MFA is now a mandatory requirement for all online accounts.

There was no device fingerprinting in place, meaning customers could not restrict access to their trusted devices. Nor were customers notified when their accounts were accessed from new devices or IP addresses, and they were not given access to their own login histories so that they could check for unauthorised logins.

23andMe had not conducted breach simulations or penetration tests specifically targeting credential stuffing even though this was a well-known risk (and the tests it did undertake were undocumented – which the ICO found was a failure in itself).

Critically, no additional verification steps were required before a customer downloaded their raw genetic data, despite the high sensitivity of such information. Furthermore, defective IP address logging meant it was impossible to determine with certainty (after the data breach) whether raw genetic data downloads were from legitimate customers or malicious IP addresses.

Early warning signs missed

23andMe missed several early warning signs that they had been compromised in the months before the main attack occurred. Notably, the ICO found a breach of Article 32(1)(d) UK GDPR, which requires organisations to have processes in place to continuously monitor and evaluate the effectiveness of security measures. This is a more targeted infringement than the ICO’s usual reliance on the more general obligation to implement appropriate security measures (which is found in Article 32(1)(b) or referred to as Article 32(1) generally).

Among the missed indicators were a large spike in failed login attempts—typical of credential stuffing attacks—which went unnoticed. These failed attempts exhibited a technical pattern that was inconsistent with normal customer behaviour, yet 23andMe failed to detect or investigate it. The company also identified approximately 400 suspicious earlier attempts to transfer customer account data and required those customers to reset their passwords, but did not conduct a broader investigation to determine whether that issue was reflective of underlying systemic risk.

Additionally, messages were sent to 23andMe’s former CEO claiming that the data of 10 million individuals had been stolen. Similar claims were posted on social media and dark web forums. These warnings were seen by 23andMe but were not properly investigated and were instead dismissed as hoaxes.

Incident response and notification failures

The ICO also found that 23andMe’s response to the breach was unacceptably slow. It took the company four days (after discovering the breach) to shut down compromised accounts and to make a password reset mandatory for all customers. Even more concerning, customers were still able to access and download their raw genetic data for nearly a month after the breach was identified without any additional security controls being put in place. Notification to the ICO was delayed by ten days, exceeding the 72-hour requirement under Article 33. However, the ICO did not treat this as a breach of the UK GDPR, acknowledging the global nature of the incident and the time required to determine whether customers in each jurisdiction were impacted.

The notifications sent to affected data subjects were found to be defective. They failed to specify the period during which the breach occurred, did not disclose that raw genetic data may have been at risk, and omitted any guidance on the potential consequences for individuals.

Cooperation with the ICO

Although the ICO ultimately chose not to treat 23andMe’s limited cooperation as an aggravating factor—largely due to the company’s financial distress and related loss of key personnel —it was clear that the regulator was dissatisfied with the level of engagement. 23andMe failed to provide information in the requested format, missed deadlines, and seemed to prioritise responses to US regulators. Some of the information provided was insufficiently detailed, and at times inaccurate and requiring substantial revision. There were also delays in disclosing key facts including the risk to raw genetic data; the existence of threatening messages sent to the former CEO which were sent by the cyber criminal; and the defects in IP logging. The company also delayed interviews with staff and failed to make its Chief Product Officer available at all.

Regulatory process and penalty

The ICO’s investigation was thorough. It included interviews with 23andMe personnel, an oral submissions hearing (which is very rare), and the collection of evidence from affected individuals on the harm (distress) they suffered. The penalty notice is the one of the most comprehensive and detailed enforcement documents issued by the ICO to date, spanning 150 pages.

Ultimately the ICO concluded that the infringements of the UK GDPR had a “high degree of seriousness” and warranted a penalty of up to 60% of the statutory maximum. The final penalty was significantly reduced to £2.3m in light of 23andMe’s distressed financial position.

The ICO also considered imposing an enforcement notice compelling 23andMe to implement corrective measures, but was persuaded that these had already been adopted so dropped the enforcement element.

Observations and key takeaways for cybersecurity

Many of the security failures identified in this case are textbook examples of basic cybersecurity lapses. However, the ICO has focussed on several new angles that presumably will also be considered in any future data breach investigations. Organisations should evaluate whether their operational or technical measures need updating to address these issues. If any measures are not considered appropriate, they should document in writing the reasons for that conclusion. Organisations should consider implementing the following:

1. Mandatory MFA – The ICO is close to saying that MFA is a mandatory requirement for all online accounts This is in line with other recent public statements by the ICO, indicating a zero-tolerance approach to the absence of MFA.
2. Using unique usernames rather than email addresses. Although not yet an absolute requirement, it is clear that the ICO looks positively on this security measure.
3. Providing guidance on creating strong passwords at the time of account creation.
4. Undertaking specific data breach simulations or penetration tests for each type of material risk vector faced by an organisation, which may require multiple simulations / tests each year.
5. Documenting simulations and tests, and implementing all remedial actions (or keeping a written record of why they were not implemented).
6. Providing users with warnings when new devices are used to access their accounts.
7. Providing users with their account usage history so they can check for unauthorised access.
8. Accurately logging IP addresses associated with account activity so to be able to conduct an effective post-incident investigation.
9. Risk-assessing security events to determine in each one whether it might indicate a wider problem (and recording the outcome of that assessment, such as on the security event ticket).
10. Ensuring the wording of data subject notifications is accurate, fairly describes the risks to data subjects, and meets all the prescriptive requirements of Article 34 UK GDPR, to reflect that such notification may come under greater scrutiny.

WBD’s transatlantic team of cyber security lawyers has managed hundreds of data breaches for our clients and advise on the legal requirements for cyber security policies and procedures. We also provide data breach simulations to test an organisation’s readiness to respond to a cyber security incident.