On 17 June 2025, the ICO finalised their fine against 23andMe in relation to a cyber attack which led to unauthorised access to the personal information of 155,592 UK residents, including race, ethnicity and health information.
In its statement about the fine, the ICO highlighted the following security issues:
- failure to implement appropriate authentication and verification measures such as secure passwords, multifactor authentication or unpredictable usernames
- failure to implement appropriate controls over access to raw genetic data
- lack of effective systems to monitor, detect and respond to cyber threats
In addition, the company’s response to the incident was judged to be inadequate. 23andMe was aware of potential unauthorised activity on the platform in July 2023 but did not start a full investigation until October 2023. This failure to react effectively contributed to a 10% increase in the fine (based on aggravating factors).
This is another instance of a company compounding existing problems in the way they deal with the fall out from a data breach.
The monetary penalty notice can be found here.
With so many high profile cyber incidents in the news at the moment, if you think it is time to look at how you approach data breaches, please get in touch by emailing hello@hellodpo.com and the team will be happy to help.
