23andMe Fined £2.31 Million: A Reminder of the Cost of Non-Compliance

Jun 19, 2025·By Ethan Coulthard

In June 2025, the UK’s Information Commissioner’s Office (ICO) imposed a £2.31 million ($3.12 million) fine on genetic testing firm 23andMe, due to failures to comply with data protection regulations following a data breach. This enforcement action is more than a punitive measure—it is a reminder to all organizations that compliance is not optional, especially when handling high-risk data such as genetic information.

3d render infected DNA molecule over dark background in bokeh light paticles.

What Went Wrong?

Between April and September 2023, threat actors successfully carried out a credential-stuffing attack on 23andMe. By exploiting reused passwords, attackers accessed accounts containing sensitive information such as genetic data and family connections. While only a portion of accounts were directly compromised, the breach affected a much wider group due to features that allowed users to share their DNA data with relatives. Over 6.9 million individuals were ultimately impacted, including more than 155,000 UK residents.

The nature of the data involved—names, locations, ethnic origins, health insights, and raw genetic files—placed the breach in a category far more serious than a typical incident involving email addresses or passwords. According to the ICO, the data exposed is "so sensitive and so immutable" that the potential harm to affected individuals is long-term and irreversible.

Regulatory Findings and the Cost of Non-Compliance

The ICO’s investigation uncovered multiple violations of the UK General Data Protection Regulation (UK GDPR). These included:

A failure to implement multi-factor authentication (MFA), despite the sensitivity of the data.
Inadequate monitoring and detection systems that allowed the attack to persist undetected for months.
Poor access control mechanisms that allowed users—and, by extension, attackers—to access and download raw genetic data without reauthentication.
A slow and insufficient response: 23andMe did not fully investigate the breach until data began circulating publicly in October 2023.

These findings point to systemic non-compliance with fundamental data protection principles. In response, the ICO issued a fine of £2.31 million—reduced from an initial £4.59 million due to financial considerations. The regulator made clear that organizations entrusted with high-risk data are expected to meet the highest standards of data governance and security.

Compliance Is Not a Checkbox—It’s a Responsibility

This case reinforces that regulatory compliance is not merely a box to tick. It is an ongoing obligation—particularly for organizations operating in regulated sectors or managing sensitive personal data. The ICO’s message is clear: failure to implement well-established security controls, such as MFA and activity monitoring, is a breach of duty that will result in penalties.

The incident also highlights a broader truth: reputational and financial fallout from non-compliance can be devastating. In early 2025, 23andMe filed for Chapter 11 bankruptcy protection in the United States. The company’s former CEO, Anne Wojcicki, has since moved to acquire its remaining assets via a nonprofit organization and has pledged to prioritize user control and data protection moving forward. But the damage—financial, legal, and reputational—is already done.

A Call to Action

The enforcement against 23andMe should serve as a wake-up call for any organization collecting, storing, or processing personal data. Regulators are increasingly willing to impose significant penalties for failures to comply with data protection laws, particularly when the data in question is as sensitive as health or genetic information.

Key areas of focus for organizations seeking to avoid similar outcomes include:

Authentication and access control: Multi-factor authentication and strong password requirements must be standard.
Monitoring and detection: Real-time detection is critical for early breach response.
Data minimization and access governance: Limit who can access what—and require reauthentication for the most sensitive data.
Incident response readiness: Breach detection, reporting, and mitigation plans must be in place and regularly tested.

More than ever, data protection authorities expect not only compliance on paper, but evidence of meaningful and proactive efforts to safeguard personal data. Organizations that fall short may not just face fines—they may face irreparable harm to their public image.

Businessman holding DNA symbol.Digital healthcare and network connection on virtual interface, medical technology and innovation concept.

Conclusion

The 23andMe case stands as a clear example of what can happen when regulatory compliance is treated as a secondary concern. In today’s environment, where data is both a strategic asset and a potential liability, maintaining compliance with data protection regulations is not simply a matter of legal necessity—it is central to an organization’s ethical and operational integrity. Compliance with regulations is important even if you're not handling genetic information, if your company has concerns about meeting compliance standards TechHorizon Consulting can help. Our vCISO service can help you to meet challenging compliance metrics and provide real time network monitoring to stop breaches in their tracks. If this interests you or your company visit our "Contact Us" page.