23andMe data breach fine

UK watchdog fines 23andMe £2.3m for ‘profoundly damaging’ data breach

In one of the most significant data protection rulings we’ve seen in recent years, DNA testing company 23andMe has been fined £2.31 million by the UK’s Information Commissioner’s Office (ICO).

The fine follows a major data breach in 2023 that exposed deeply personal details of over 155,000 UK residents – and millions more worldwide.

The verdict? 23andMe simply didn’t do enough to protect people’s sensitive data.

What went wrong?

Back in 2023, hackers launched a “credential stuffing” attack. That’s when cybercriminals use stolen login details from one site to break into accounts on another – something that works all too often when people reuse passwords.

This allowed the attackers to access around 14,000 23andMe accounts directly. But because the site links users to genetic relatives, they were able to scrape data connected to nearly seven million people in total.

A warning ignored

The ICO was clear: the breach wasn’t just unfortunate, it was preventable. 23andMe failed to put basic protections in place, like multi-factor authentication or stronger password rules.

They didn’t spot the warning signs, and they didn’t act fast enough to fix the problems.

As Information Commissioner John Edwards put it: “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

What happens now?

The company has since filed for bankruptcy and 23andMe is being sold to a new owner, TTAM Research Institute, who say they’re committed to doing better. Promises have been made to improve data protection and give users more control, including the right to delete their data and opt out of research.

Can you claim compensation for the 23andMe data breach? 

At Join the Claim, we believe strongly in holding companies accountable – especially when it comes to something as personal as your genetic data. This breach isn’t just about sloppy IT practices. It’s about trust, transparency, and the responsibility companies have to protect their users. Because once private information is out in the world, there’s no getting it back.

Despite 23andMe filing for bankruptcy, lawyers in the UK are still pursing the company in a group action data breach claim.

 

Are you affected? If so, you could be due compensation.

Find out instantly with our easy-to-use checker.

Check my eligibility now

Found this helpful? Share it

Facebook
Twitter
WhatsApp
LinkedIn
Email

Or

You may also like:

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.

Asda equal pay claim: Can store workers fight for fair wages?

Asda store workers may be underpaid. Check if you qualify for an equal pay claim and take action to seek the compensation you deserve.

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.

You might also like

See more resources

Several bottles of Johnson's baby powder on a store shelf, symbolising the Johnson and Johnson talc lawsuit over alleged asbestos contamination and cancer risks.
  • Health & Medical, News

Johnson & Johnson talc lawsuit in the UK: What you need to know

A UK lawsuit claims Johnson & Johnson’s talc products cause cancer. Learn about the case,...
Low-angle view of people walking in a city, symbolising unity and collective action, related to key facts about group litigation for seeking justice.
  • News

10 must-know facts about group litigation for first-time claimants

Discover 10 essential facts about group litigation for first-time claimants. Learn how joining a group...
  • News, Travel

How to claim compensation for flight delays or cancellations in the UK

Delayed 3+ hours or had a cancelled flight? You could claim up to £520 under...

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 6 Sunderland Street, Tickhill, Doncaster, DN11 9QJ

© Join the Claim All Rights Reserved | 2025

Go to claims