A PYMNTS Company

UK Regulators Fine 23andMe Over Massive Genetic Data Breach

 |  June 17, 2025

Genetic testing company 23andMe has been hit with a £2.31 million ($3.1 million) fine by UK regulators after a 2023 cyberattack exposed the personal and genetic information of over 150,000 UK users, according to Bloomberg.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    The Information Commissioner’s Office (ICO) issued the penalty following a joint probe with the Office of the Privacy Commissioner of Canada. Investigators found that the company had failed to implement essential safeguards to protect sensitive data, including weak login security, insufficient controls on genetic information access, and inadequate threat detection systems, per Bloomberg.

    The breach, which began in April 2023, went undetected for several months. A full internal investigation was not launched until October, when a company employee discovered that user data was being offered for sale on Reddit, the UK watchdog said.

    According to the ICO, the compromised data included user names, profile images, geographical locations, and health-related information. Regulators criticized the company for not acting sooner, noting that it had neglected basic cybersecurity practices.

    Source: Ancestry.com Considers Acquisition of 23andMe ‘Challenging’ Due to Antitrust Concerns

    “23andMe failed to take basic steps to protect this information,” said UK Information Commissioner John Edwards in a statement released by the ICO.

    Per Reuters, the breach adds to the growing scrutiny over 23andMe’s handling of consumer data. Once considered a Silicon Valley success story, the San Francisco-based company has struggled to maintain profitability. It filed for bankruptcy in March 2025, citing financial difficulties amid declining demand and rising regulatory pressure.

    Ownership of the company’s remaining assets has since shifted. According to Bloomberg, former CEO Anne Wojcicki and the nonprofit TTAM Research Institute acquired 23andMe’s holdings in a bankruptcy auction, raising fresh questions about the future of the firm’s vast database of genetic information.

    Privacy advocates and regulators alike have expressed concern about the long-term risks of commercializing such sensitive data.

    Source: Bloomberg