England | Fine for failure to protect personal data

June 26, 2025

Scottish Legal News | The Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.

The investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

John Edwards, UK Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, Privacy Commissioner of Canada, said: “Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

— Accurate at time of publication | June 2025

Sign-up to the Barbour Monthly Newsletter

Get the latest Health, Safety and Environmental news and information – sign up for updates from Barbour EHS. Computer monitor What you’ll get:
  • Free downloads including Directors’ Briefings, legislation updates, webinars, risk assessments and more
  • VIP invites to events
  • Important industry news and updates
  • Invitations to hot topic webinars hosted by Barbour
  • Industry partner information
Subscribe to the newsletter ✉️
[ssba-buttons]

You May Also Be Interested In

Comments are closed.

✉ Sign up to the Barbour Newsletter

Free downloads, advance notice of webinars, product updates and perks – all straight to your inbox.

  • Barbour EHS may from time to time send updates about Barbour products and services. By providing your contact information you consent to being contacted for direct marketing purposes by Barbour EHS. Please ensure you review our Privacy Policy.