Best Cybersecurity Books on Hacking, Surveillance, and Espionage

UK Watchdog Fines 23andMe Over 2023 Data Breach

The 23andMe data breach in 2023 is now facing serious consequences in the UK. The country’s Information Commissioner’s Office (ICO) has fined 23andMe £2.31 million ($3.1 million) for failing to adequately safeguard the personal and genetic information of UK residents. This fine follows an investigation into the breach, which exposed sensitive data from over 155,000 UK users and more than 6.9 million global accounts. The breach has drawn widespread concern about how genetic testing companies protect user data and comply with data privacy laws. As cyber threats grow increasingly sophisticated, this case underscores the importance of robust security protocols like multi-factor authentication to protect sensitive personal and medical information.

                             Image Credits:Paul Morris/Bloomberg via Getty Images

What Happened in the 23andMe Data Breach?

The 23andMe data breach occurred when hackers launched a months-long attack, using previously stolen usernames and passwords to access user accounts. These credentials were obtained through other unrelated breaches and were used to infiltrate thousands of 23andMe profiles. Once inside, attackers downloaded users’ raw genetic data—some of the most personal and unchangeable information an individual possesses. Shockingly, 23andMe had not enabled extra verification steps like multi-factor authentication at the time, a basic security measure that could have stopped the unauthorized access. According to the ICO, this failure to implement adequate safeguards constituted a breach of UK data protection laws.

Why 23andMe Was Fined and What It Means for Consumers

The UK’s data watchdog determined that 23andMe did not take the necessary steps to protect its customers' sensitive data. By not requiring additional verification layers before granting access to genetic data, the company left user accounts vulnerable. As a result, the ICO issued a £2.31 million penalty. This fine sends a strong message to tech and health-related companies: storing and processing personal and genetic data comes with serious legal and ethical responsibilities. For consumers, this case raises valid concerns about entrusting private information to platforms that may not invest enough in security infrastructure. It also highlights the importance of choosing services that offer transparency, data encryption, and advanced account protections.

What’s Next for 23andMe After the Breach and Fine?

Following the fallout from the 23andMe data breach, the company has introduced mandatory multi-factor authentication for all users—a long overdue step that many believe should have been standard from the beginning. However, the damage has already been done. In the wake of the breach, 23andMe filed for bankruptcy protection in the U.S., and a court hearing is now underway to determine the future of its assets, including the sale of the company. Meanwhile, UK authorities remain in contact with 23andMe’s trustee. For now, users are urged to review their data-sharing settings and ensure they are using strong, unique passwords across all online accounts. As digital health services become more popular, this breach may set a precedent for stricter regulatory oversight and higher expectations around data security in the industry.