UK regulators imposed a £2.31 million ($3.1 million) fine on genetic testing company 23andMe after their personal and genetic data of more than 150,000 UK users became publicly exposed due to a cyberattack in 2023 as reported by Bloomberg.
UK regulators through the Information Commissioner’s Office (ICO) imposed the penalty after collaborating with the Office of the Privacy Commissioner of Canada during their joint investigation. The investigation revealed the company had not put in place necessary protective measures for sensitive data which included insufficient login security, inadequate genetic information access controls, and poor threat detection systems, Bloomberg reports.
Security experts discovered that the breach which started in April 2023 remained unnoticed for multiple months. The UK watchdog stated that the company initiated its full internal investigation in October after an employee found that user data was being sold on Reddit.
The ICO has confirmed that attackers gained access to user names, profile photos, locations, and health information. Authorities condemned the company because it failed to implement fundamental cybersecurity measures earlier.
UK Information Commissioner John Edwards declared in an ICO statement that 23andMe neglected fundamental protective measures for this data.
The breach that occurred intensified public examination about how 23andMe manages its consumer data according to Reuters.
A San Francisco-based company that used to be seen as a Silicon Valley success story now faces profitability challenges. The company declared bankruptcy in March 2025 because of financial struggles that resulted from decreasing market demand combined with increasing regulatory challenges.
The company’s remaining assets have been transferred to new owners.Bloomberg reports that Anne Wojcicki, the company’s former CEO, and the nonprofit TTAM Research Institute purchased 23andMe's assets through a bankruptcy auction which has resulted in new concerns about the fate of its extensive genetic data collection.
Both privacy advocates and regulators have voiced their worries about the enduring dangers that come with turning sensitive data into commercial products.
UK Information Commissioner John Edwards announced through an ICO statement that 23andMe did not implement fundamental information protection measures.
The security breach reported by Reuters further increases the public examination of 23andMe's management of consumer data.
The San Francisco tech company that was once hailed as a Silicon Valley success story now faces persistent challenges in sustaining its profitability. The company declared bankruptcy in March 2025 because of financial problems which resulted from diminishing demand and increasing regulatory challenges.
The remaining assets of the company have been transferred to new ownership.Anne Wojcicki along with TTAM Research Institute bought 23andMe’s assets during a bankruptcy auction according to Bloomberg and now questions emerge about the company's extensive genetic database.
The commercial use of sensitive data triggers long-term risk concerns from privacy advocates and regulatory bodies.