The UK’s Information Commissioner’s Office simply dropped a £2.31 million high quality on 23andMe for a 2023 knowledge breach that uncovered genetic data from 155,592 UK residents. This isn’t your typical “oops, unsuitable electronic mail” mistake — we’re speaking household timber, well being experiences, and ethnic backgrounds scattered throughout the darkish net like one thing out of a cyberthriller. The breach, which stemmed from a credential stuffing assault, compromised knowledge from 14,000 accounts and affected tens of millions of individuals with linked DNA profiles, elevating pressing questions on whether or not your DNA is at risk.
Safety Failures That Price Tens of millions
The ICO’s investigation revealed that 23andMe operated as if it have been nonetheless working Home windows XP in 2023. There was no obligatory multi-factor authentication, weak monitoring techniques that missed apparent purple flags, and a delayed response when warning indicators flashed for months, like a smoke detector with dying batteries.
Info Commissioner John Edwards didn’t mince phrases: “This was a profoundly damaging breach that uncovered delicate private data, household histories, and even well being circumstances,” said John Edwards, the UK’s Info Commissioner.
Your genetic knowledge isn’t like a bank card quantity — you may’t simply get a brand new one issued. As soon as that data hits the web, it stays there perpetually, probably affecting not simply you however your family who by no means even used the service.
What Obtained Uncovered (And What Didn’t)
The stolen knowledge included names, start years, places, profile pictures, race, ethnicity, well being experiences, and household connections. Fortunately, uncooked DNA knowledge wasn’t compromised, however hackers nonetheless grabbed sufficient private particulars to trigger severe privateness complications that may make even Mark Zuckerberg nervous.
The breach significantly focused customers with Ashkenazi Jewish heritage, including a disturbing dimension to an already messy scenario. Right here’s what the assault timeline regarded like:
- April 2023: Hackers started accessing accounts by way of credential stuffing.
- October 2023: 23andMe lastly detected the breach after months of exercise.
- December 2023: The Firm started notifying affected customers.
- 2024: 23andMe applied correct safety measures (higher late than by no means).
- March 2025: The Firm filed for chapter.
For a complete overview of the incident and what was uncovered, see the 23andMe data leak.
“Sturdy knowledge safety should be a precedence for organizations, particularly these which might be holding delicate private data,” mentioned Philippe Dufresne, Canada’s Privateness Commissioner, who labored with UK regulators on this case.
The Chapter Aftermath
23andMe went from a $6 billion valuation in 2021 to chapter courtroom in March 2025 sooner than you may say “knowledge breach settlement”. The privateness catastrophe wasn’t the one wrongdoer — declining demand and normal creepiness considerations had already damage the enterprise, however it definitely accelerated the corporate’s downward spiral.
Anne Wojcicki, 23andMe’s co-founder, is shopping for again the corporate by way of her nonprofit TTAM Analysis Institute for $305 million. She’s promising higher knowledge safety and giving clients the correct to delete their genetic data fully. Whether or not that’s sufficient to rebuild belief stays to be seen, however not less than 15% of customers have already requested knowledge deletion for the reason that chapter submitting.
This case units a severe precedent for firms dealing with genetic knowledge. The ICO’s high quality may appear modest in comparison with 23andMe’s former valuation, however it sends a transparent message: deal with genetic data just like the particular class knowledge it’s, or face the results. Your DNA deserves higher safety than your Netflix password.
About The Author
