23ANDME FINED £2.31M FOR 2023 DATA BREACH – The fine will go directly to the state, not to the individuals whose data was compromised
In a significant privacy breach, 23andMe has been hit with a £2.31 million fine by the UK’s Information Commissioner’s Office (ICO) following a 2023 cyberattack that exposed the personal details of seven million users, including more than 150,000 Britons. The breach, which compromised sensitive data such as health reports, family trees, race and ethnicity details, as well as addresses, dates of birth, and profile pictures, has left many questioning the company’s ability to safeguard such valuable information.
Hackers gained access to the genetic testing giant’s database, and the stolen data was later found on dark web forums. Among the leaked details was a list of nearly one million individuals, allegedly with Ashkenazi Jewish heritage, based on their genetic profiles from 23andMe.
John Edwards, the UK’s Information Commissioner, described the breach as “profoundly damaging” given the extent of the personal information exposed. He added that the fine reflects the company’s repeated failures to adequately protect this highly sensitive data.
Despite the breach starting in April 2023, 23andMe only launched an internal investigation in October after discovering that the stolen data had been posted for sale on Reddit. By the end of the year, the company had strengthened its defences, but the damage had already been done.
Shockingly, the fine will go directly to the state, not to the individuals whose data was compromised, leaving victims in the UK without any legal recourse. In contrast, victims in the US won a $30 million settlement in a class action lawsuit related to the breach.
