Analysis

The UK's Information Commissioner's Office (ICO) has imposed a significant £2.31 million fine on genetic testing company 23andMe for a 2023 data breach that exposed the personal information of seven million individuals, including over 150,000 UK residents. The ICO characterized the breach as "profoundly damaging," citing 23andMe's "repeated failures to protect extremely sensitive data," inadequate security systems, unheeded warning signs, and a slow response to the incident which began in April 2023 but was only investigated from October 2023. The stolen data included highly sensitive details such as family trees, health reports, race and ethnicity information, addresses, and dates of birth, with a specific dataset of 999,999 individuals allegedly of Ashkenazi Jewish heritage appearing on dark web forums. This regulatory penalty follows 23andMe's bankruptcy filing in March of the current year (2025, per article date context) and its subsequent planned acquisition for $305 million by TTAM, a non-profit led by co-founder Anne Wojcicki. The company faces ongoing scrutiny, including a legal challenge from 28 US attorneys general aimed at protecting user data during the sale, and accusations from US Senator Josh Hawley regarding the veracity of its data deletion policies. While TTAM has made commitments to enhance data protection, including allowing data deletion and offering identity theft monitoring, the historical practice of 23andMe selling user data to entities like GSK underscores the complexities of data monetization and privacy. The ICO fine, described as "about as serious as it gets" by a cyber investigations director, will go to the state, unlike in the US where victims secured a $30 million class-action settlement, highlighting differences in legal redress mechanisms for data breach victims.