A PYMNTS Company

UK Fines 23andMe Over Mishandling of Sensitive Genetic Data

By  |  June 23, 2025

UK data regulators have imposed a £2.31 million ($3.1 million) fine on DNA testing firm 23andMe in response to a major cybersecurity breach that compromised the sensitive genetic information of over 150,000 British users. The penalty marks the latest setback for the once-prominent biotech company, whose struggles with data privacy and financial stability have come under increasing scrutiny.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    The Information Commissioner’s Office (ICO), working in coordination with its Canadian counterpart, concluded that 23andMe had failed to meet essential requirements under the UK’s data protection framework. Per Bloomberg, the regulator criticized the company for lacking basic safeguards, such as proper login authentication, robust controls over access to raw genetic data, and adequate systems for detecting cyber threats.

    The breach, which unfolded in 2023, reportedly began in April when attackers exploited reused credentials to infiltrate user accounts. However, the company did not launch a comprehensive investigation until October, when a staff member discovered that some of the stolen data had surfaced on Reddit, according to Bloomberg’s reporting. The exposed information included users’ names, profile pictures, locations, and health-related insights derived from their DNA tests.

    “23andMe failed to take basic steps to protect this information,” said UK Information Commissioner John Edwards in a statement issued alongside the announcement of the fine. “This left people’s most sensitive data vulnerable to exploitation and harm.”

    Related: UK Regulators Fine 23andMe Over Massive Genetic Data Breach

    Headquartered in San Francisco, 23andMe was once considered a leading figure in consumer genetics. However, the firm filed for bankruptcy in March 2025 after years of declining revenue and controversy over its data monetization practices. As Bloomberg notes, its vast database—containing DNA profiles from millions of individuals—has drawn concern from both consumers and regulators over the years, particularly regarding how that data is used and shared.

    The company’s assets were recently acquired through a bankruptcy auction by former CEO Anne Wojcicki and the TTAM Research Institute, a nonprofit entity. The future of the firm and its genetic archive remains uncertain as the new owners attempt to rebuild trust and navigate heightened regulatory scrutiny.

    This incident adds to a growing list of challenges for firms operating at the intersection of health data and consumer technology, reinforcing calls for stronger oversight and clearer standards in the handling of personal genetic information.

    Source: Bloomberg