Show all guides
Europe
GDPR

23andMe fined £2.3M by UK ICO for 2023 credential-stuffing breach

Last update:
Jun 5, 2025

The UK ICO fined genetic testing company 23andMe £2.3 million after finding that it failed to put in place the necessary security measures to prevent a cyberattack. 

The 2023 attack affected over 150,000 UK-based individuals, leaking data sets containing sensitive information, including genetic ancestry details and information about users’ relatives. The ICO determined that 23andMe had not taken appropriate steps to guard the data, especially considering the sensitive nature of the information gathered by the company. 

It is also worth mentioning that 23andMe recently filed for bankruptcy protection and has since been dealing with a massive volume of data deletion requests the company is struggling to handle. 

This fine reminds companies dealing with highly sensitive data, especially if it is essential to their core business goals, how crucial it is to implement proper safeguards to protect users’ data and the company’s reputation.

The full guidelines can be found
here

Related Guides

EU extends UK data adequacy decision through 2031

December 24, 2025

The European Commission extended the EU–UK data adequacy decision through 2031, ensuring continued cross-border data flows. The move provides certainty for businesses while maintaining GDPR-equivalent protections post-Brexit.
Europe
GDPR

New Adequacy Decision for EU-US Data Transfers Reached

July 11, 2023

The EU and US have reached a third, and hopefully final, agreement to facilitate GDPR-compliant data transfers between the continents
Worldwide
GDPR
The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only