23andMe fined for failing to protect users' data in cyber attack following investigation

DNA testing company 23andMe has been fined for failing to protect its users' data in a cyber attack that took place in 2023.

This comes after an investigation was conducted by the UK’s Information Commissioner’s Office (ICO) determined that the firm had failed to ‘implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023’.

As a result, 23andMe has been fined a penalty of £2.31 million ($3.12 million) after a hacker was able to gain unauthorized access to the personal information of over 150,000 UK customers.

This information included things such as names, postcodes, birth years, images, ethnicity, family trees and health reports.

John Edwards, who is the UK Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

The UK watchdog found that 23andMe failed to protect its users data (Westend61/Getty Images)

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

In total, the ICO received 12 complaints from 23andMe users, with one anonymous person impacted by the data breach saying: “I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and email addresses, you can't change your genetic makeup when a data breach occurs.”

Another wrote: “Disgusted that my DNA data could be out there in the wild and been exposed to bad actors. Extremely anxious about what this could mean to my personal, financial and family safety in the future. Anxious about my 23andme connections, who may have been impacted and what this may mean further down the line for me.”

23andMe has been hit with a huge fine (Tayfun Coskun/Anadolu via Getty Images)

What can you do to strengthen your own cybersecurity?

If you’re worried that your own data might be vulnerable online then there are steps you can take in order to protect yourself.

First off, make sure you’re using a strong and unique password for each account you open and be sure to enable two-factor authentication when possible.

Be alert for any phishing emails and scam messages which you can report and delete.