DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack

The genetic testing company 23andMe has been fined more than £2.3m for failing to protect the personal information of more than 150,000 UK residents after a large-scale cyberattack in 2023.
Family trees, health reports, names and postcodes were among the sensitive data hacked from the California-based company. It only confirmed the breach months after the infiltration started and once an employee saw the stolen data advertised for sale on the social media platform Reddit, according to the UK Information Commissioner's Office – which levied the fine.
The information commissioner, John Edwards, called the months-long incident across the summer of 2023 a 'profoundly damaging breach'. The compromise of UK data was just a fraction of the wider losses, with the data of 7 million people affected.
23andMe charges users £89 to have their DNA screened using a saliva-based kit, allowing them to discover where their distant ancestors came from in terms of their ethnicity and location. But many customers asked for their DNA data to be deleted from the company's archives after the hack and it filed for bankruptcy protection in the US in March.
The fine came as a $305m bid to buy the company led by its former chief executive, Anne Wojcicki, looked poised to retake control of the company in a bankruptcy auction.
Edwards said the data breach 'exposed sensitive personal information, family histories and even health conditions of thousands of people in the UK'.
'As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number,' he said.
23andMe failed to take basic steps to protect the information and their security systems were inadequate, the UK data protection regulator found. The breaches included failing to install tougher user authentication.
The hacker exploited a common weakness caused by users reusing passwords that had already been stolen in other unrelated data breaches. Hackers then used automated tools to try these passwords in a tactic called 'credential stuffing'.
'The warning signs were there, and the company was slow to respond,' said Edwards, who carried out the investigation jointly with the privacy commissioner of Canada. 'This left people's most sensitive data vulnerable to exploitation and harm.'
Sign up to First Edition
Our morning email breaks down the key stories of the day, telling you what's happening and why it matters
after newsletter promotion
A spokesperson for the company said 23andMe had since implemented multiple steps to increase security to protect individual accounts and information. They said that as part of the deal to acquire 23andMe, Wojcicki's non-profit, the TTAM Research Institute, has made 'binding commitments to enhance protections for customer data and privacy, including allowing individuals to delete their account and opt out of research at any time' and 'agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control', and offering customers two years of free identity theft monitoring.
The fine is among several multimillion pound punishments meted out by the ICO in recent years for failure to protect data from hacks and ransomware attacks. In 2022, it fined the construction company Interserve £4.4m when staff data was compromised, including contact details, bank accounts, sexual orientation and health.
In March this year it fined an NHS IT supplier, Advanced Computer Software Group, nearly £3.1m for security failings that put the personal information of nearly 80,000 people at risk.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

BBC News

37 minutes ago

• BBC News

Petition questioning jail sentences for online posts hits target

A petition calling for an urgent review of sentencing after a woman was jailed for a racist social media post has hit its target of 100,000 signatures in under 24 Connolly, from Northampton, was jailed for 31 months in October after urging her followers on X to "set fire" to hotels housing asylum seekers on the day of the Southport UK MP Rupert Lowe's online petition said prison terms for cases of "opinion-based online speech" caused "serious public concern" and alternative sanctions would be more appeal was rejected in May, with the Court of Appeal ruling there was "no arguable basis" that her prison sentence was excessive. The 41-year-old childminder, the wife of a Conservative councillor, posted the swearword-ridden message on 29 July 2024, the day three girls were murdered at a dance class in calling for "mass deportations now", she wrote: "If that makes me racist, so be it."She urged readers to set fire to "all the hotels" that were "full" of those she wished to post had been deleted before Connolly was arrested on 6 August but had already been viewed 310,000 who represents Great Yarmouth as an Independent, said the jailing of Connolly was "morally repugnant" and his petition had the full support of her husband, Ray."Lucy, and others like her, should not be in prison for foolish things they posted on the internet," said Lowe in a post on X."It's all just so disgusting, and if I can use my elected position to do anything, it has to be worth a go." The petition says imprisoning individuals for posts on social media "sets a dangerous precedent and raises wider questions about freedom of expression, proportionality in sentencing, and the misuse of limited prison resources."The day after Connolly's appeal was rejected, Sir Keir Starmer said he was in favour of free speech and against inciting violence after Lowe used Prime Minister's Questions to ask if her jail term was an "efficient or fair" use of prison.A UK Government and Parliament petition that attains 100,000 signatures is assessed by the Petitions Committee for its level of support and whether the government could act on its demands. If approved for consideration, it is then debated in Westminster Hall. Follow Northamptonshire news on BBC Sounds, Facebook, Instagram and X.

Daily Mail​

40 minutes ago

• Daily Mail​

Instant karma! Shocking moment teen gang hurl chairs at restaurant waiters - before one of the attackers gets more than he bargained for

A teen was served instant karma as he was forced to quickly flee after hurling chairs at two restaurant workers as a 'gang of 30 teens' watched on. A shocking video has emerged online of a around 30 youngsters attacking a family restaurant in the seaside Kent town of Broadstairs. The 59-second clip shows a gaggle of yobs storming towards a Italian restaurant, Sardinia, as two staff members appear at the workplace's doorway. Another youth then pushes one of the men as tensions escalate with another teenager picking up a chair and launching it towards a glass pane. As another unidentified item is hurled through the air, the young man picks up a chair and throws it at a staff member, armed with a black chair. Seemingly working in tandem, a separate teen then slams a chair towards the same waiter standing in the doorway, as horrified customers watch on in horror. The previous yob circles back again, as both he and the workman hurl black chairs in each others direction. But karma came around quickly, as a separate staff member emerges from the restaurant and chases one of the teens down the road. Loud shouting could be heard from the group of unruly youngsters as the yob raced away from down the seaside street away from the restaurant worker. It is believed the group of teens were chasing another young person who had hid inside the family restaurant for safety. Restaurant manager, Tony, said four or five tables of guests were inside when the incident transpired. He told The Sun: 'They were trying to get to this boy who they already attacked to beat him again. 'We let him inside and shut the doors, but they attacked the staff and threw chairs. 'He was half their size, I don't know why they would want to do this - there were about 30 of them.' The restaurant boss also spoke of his dismay that the teen's parents had not been in touch following the attack. Another business in the town also had its window broken amid reports of street fights, underage drinking, and bottles being thrown at beach huts as well as thefts. A dispersal order was also issued by police throughout the town following a day of chaos in the town. The force also responded to reports from incidents in the town's train station. A spokesperson for Kent Police said: 'Kent Police is aware of incidents of anti-social behaviour in the Broadstairs area including under-age street drinking, fighting and reports of aggressive behaviour towards staff at shops and restaurants during the evening of Thursday 19 June 2025. 'Officers attended and three arrests were made on suspicion of offences relating to public order, assault and criminal damage. 'Two boys aged 16 and 17, and a 15-year old girl, all from Thanet, have since been released on bail pending further enquiries. 'Officers are currently investigating these incidents, and a dispersal order has been implemented due to ongoing concerns relating to issues caused by a small minority of young people in some public areas including the town centre and beaches. 'We fully understand that residents may be concerned about incidents of crime and disorder committed by the minority, however they should feel reassured that local officers will be on patrol in the area to provide a visible presence to prevent offences from occurring.' Dispersal orders give officers extra powers to stop and search individuals under Section 60 of the Public Order Act. It also give them the authority to move groups of people form an area.

Telegraph

44 minutes ago

• Telegraph

Don't trust two-tier Keir on Palestine Action. He hasn't turned sound

If a mystic with a crystal ball asked you last week to guess which political leader would try to ban a group with 'Palestine' in the name, you'd have plumped for Donald Trump. Turns out, however, it was Keir Starmer. I speak of Palestine Action, the neo-Corbynite clowns who infiltrated RAF Brize Norton on electric scooters to sabotage strategic aircraft. The Government says it will ban them as terrorists for their trouble. Has the Prime Minster finally gone sound? Has he heck. The petulant hoodlums will complain that unlike Hamas and the other groups on the list, they weren't trying to bomb anybody. That argument will probably prevail; the ban must win the support of both MPs and peers before coming into force, so it may never materialise. No, it's all about the headlines. Nigel Farage demanded that Palestine Action be proscribed in the morning and by the afternoon, Starmer had claimed the oxygen for his own. This created the impression that the Government takes our national security seriously, stands against the irritating Gaza radicals and is determined to crack down on treason. No need to vote Reform then, eh? He's a slippery fish, that prime minister. This is the most unprincipled government in living memory and its playbook is always the same. Wrongfoot and gaslight the public while advancing an agenda that nobody has voted for. Mark my words. After this, Starmer's betrayal of Israel will continue apace. Take the child sex gangs. The inquiry was a controlled explosion of a political landmine with senior Labour figures protected by spin. Meanwhile, this was Death Week, with infanticide and geronticide, neither of which were in Labour's manifesto, forced through the Commons. Thus the Government emerges as the shadowy winner while the country and its despairing people have lost. The same pattern can be seen in everything from the economy to immigration and defence. Starmer talks tough, cracks out a little U-turn, then when the heat has passed, pushes on with his agenda, making superficial modifications to throw us off the scent. Last week, for instance, it emerged that our rising defence budget will also fund Heathrow's third runway, reduce food prices and bolster supply chains. The Prime Minister told us he was serious about defending the realm, but he didn't really mean it. The Palestine Action episode is the same. This government is now the most Israelophobic since the Fifties. It has suspended arms export licences while continuing to provide them to the repressive regimes of Qatar, Turkey and Egypt. It has sanctioned objectionable Israeli ministers while leaving far more chauvinistic regional figures untouched. The Tunisian president, for example, demands 'all the land of Palestine' for the Arabs. No two-state solution there. No British sanctions, either. It has presided over crackdowns on free speech and two-tier policing of the Gaza mobs. Just as sensible voters reach the end of their tether, however, Sir Keir throws sand in their eyes on Palestine Action. Now it is the turn of his Corbynite Left to feel the burn. But this is nothing more than an exercise in damage limitation; as always, the pendulum will swing back the other way, only – crucially – not as far as its original position. Thus public rage is subdued while the Overton Window creeps inexorably leftwards. You can feel it, can't you? You know you're being conned but you can't quite put your finger on it. As the months pass, a browbeaten and confused electorate finds the country drifting away beneath its feet, little by little becoming unrecognisable.