A data breach in 2023 by DNA testing firm, 23andMe, which compromised sensitive data of thousands of individuals, resulted in a hefty fine of £2.31 million by the Information Commissioner's Office (ICO) in June 2025.
The ICO stated that the company had failed to put adequate measures in place to secure personal data prior to the incident and its investigation had uncovered "serious security failings"
The Breach
23andMe was targeted by what is known as a "credential stuffing attack" where hackers use passwords that have been exposed in previous breaches to access the accounts of people who are using the same - or very similar credentials - on other sites. 14,000 individuals' accounts were accessed using this technique and information relating to around 6.9 million people – some of whom were linked to the accounts as being possible relations - was downloaded by the hackers. The type of data which was compromised was vast, including names, year of birth, geographical information (being as specific as post codes and cities) and profile images, along with particularly sensitive data such as race and ethnicity, health reports, family trees and information about individuals' DNA (known as "Raw Genetic Data").
The individuals impacted were understandably concerned as the information that was leaked was fundamental to their identity and there was no way to anticipate how such a breach would impact the accountholders, as well as those connected to them, in the future.
Inadequate Systems
UK data protection law requires additional protections to be put in place to safeguard genetic data, which is considered to be special category data given its sensitive nature. In an investigation handled jointly with the Officer of the Privacy Commissioner of Canada, the UK regulator the ICO found that 23andMe breached UK data protection law by not having enhanced security measures in place to protect the data, such as multi-factor authentication and verification methods during the login process or when downloading data, nor was there any requirement for users to have sophisticated usernames and passwords.
Further, 23andMe's response after the incident was also considered to be inadequate. It transpired that the hackers began the credential stuffing attach in April 2023 before carrying out intense credential stuffing in May 2023. When some of this activity was first investigated by the company in August 2023, it was dismissed as a hoax. It was not until October 2023, following a wave of credential stuffing in September 2023, when the matter was fully investigated after an employee discovered stolen data being advertised for sale on another platform.
Ultimately, the various issued identified were not resolved until 2024. The Information Commissioner, John Edwards, said that "23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm."
Key Takeaways from the decision
Looking more closely at some of the infringements which were discovered by the ICO in this case, organisations can get an insight into the kind of security measures they should have in place to ensure that they do not fall short of their duties under the UK GDPR and Data Protection Act 2018.
We highlight the key takeaways below:
- Password complexity
An interesting factor that the ICO focussed on was that there was no requirement from 23andMe for users to have unpredictable usernames in lieu of email addresses, nor were there any minimum password lengths or complexity requirements. Although neither of these are prescribed under the UK GDPR or Data Protection Act 2018, the legislation does require security to be "appropriate" to the nature, scope, context and purpose of the data and the risks that might be posed to individuals. The ICO commented that these types of protections would be appropriate methods to enhance security against unauthorised access, and specifically against credential stuffing attacks in the 23andMe case, and likely relevant to any organisation handling more sensitive personal data. - Multi Factor Authentication (MFA)
The ICO also specifically noted the lack of mandated multi-factor authentication which is considered to be one of the most effective methods of securing against such attacks. The lack of MGA has also formed part of the ICO's reasoning when it has issued fines against other organisations, so is clearly on the radar as a basic security measure. It seems that those organisations who fall victim of a cyber attack or data breach and who do not have MFA in place will likely be given short shrift by the ICO in their investigation. - Layering the security requirements
Further, the ICO also noted 23andMe's failure to operate any additional verification steps prior to customers accessing or downloading Raw Genetic Data constituted an infringement of its obligations under the data protection legislation. This failure was considered to be particularly significant given the lack of security measures applied during the initial login process set out above. Although 23andMe suggested that those responsible for the attack only downloaded Raw Genetic Data relating to four customers worldwide, the ICO considered that regardless of the number of customers whose Raw Genetic Data was actually downloaded, the absence of additional security in the download process means that the data was nevertheless available to the threat actor once they had successfully accessed an account. These observations were specifically relevant due to the nature of the data in question. The appropriateness of the technical and organisational security measures which a controller is required to implement must be considered in light of the type of personal data being processed, and as the data in question is Raw Genetic Data, it is clear that the ICO would have expected much greater and additional security measures to be in place in order for it to be downloaded. As such, it is important for organisations to avoid using a broad-brush approach when it comes to the protection of data, and adjust the level of security based on the sensitivity of the particular data in question. It will not be a "one size fits all" approach, but will depend on the sensitivity of the data and risks associated with it.
- Preparing for and responding to an attack
Finally, the ICO criticised 23andMe's failure to prepare for a credential stuffing attack and to implement appropriate and effective measures to monitor for, detect, and respond to, unauthorised activity. This demonstrates the importance of organisations planning ahead for possible cyber security risks and having systems in place, not just to prevent any attacks but also the ability to respond quickly should an attack take place in order to minimise its potential impact. The ICO heavily criticised 23andMe for its "inadequate" response to the unfolding incident, which spanned 6 months from initial attack to a full internal investigation into the unauthorised activity. The activity had initially been dismissed as a hoax, and a full investigation was only launched in response to an employee discovering personal data being advertised for sale on a separate platform.
CyberSecure360
In addition to these particular takeaways from the ICO's report, it is clear that in light of the growing sophistication of cybercrime, it is crucial for organisations to:
- understand their risk profile;
- implement robust cybersecurity measures;
- align security controls with likely risk; and
- understand how they will respond to attacks to mitigate risk.
Combining the legal excellence of Trowers' cyber team and award-winning cyber experts, CyberQ, CyberSecure360 offers legal and technical cybersecurity advice tailored to clients' requirements – from assessing compliance with cyber policies, undertaking risk assessments through penetration testing and incident response planning to providing training and playing out war-room scenarios in real time.
For more information or to discuss your cyber and fraud prevention needs please contact our specialist cyber team.
