Hackers exposed DNA, family trees, and ethnicity data in a breach; UK watchdog calls deeply damaging

Genetic testing giant 23andMe has been fined £2.31 million by the UK’s Information Commissioner’s Office (ICO) after a devastating cyber attack exposed the DNA data of more than seven million users worldwide—including 150,000 people in Britain.

The 2023 hack, described by UK Information Commissioner John Edwards as “profoundly damaging,” compromised highly sensitive personal information, including addresses, dates of birth, photographs, medical reports, and racial and ethnic details.

“Their security systems were inadequate, the warning signs were there, and the company was slow to respond,” Edwards said. “This left people’s most sensitive data vulnerable to exploitation and harm.”

The UK’s fine, which follows a joint investigation with Canada’s privacy watchdog, is the most severe punishment available under current laws. Despite that, British victims of the breach will receive no compensation. In contrast, American victims were awarded $30 million in a class action settlement last year.

A key concern for regulators was the scale and nature of the data taken. A sample database posted to the dark web identified nearly one million users as being of Ashkenazi Jewish heritage. “Crazy. This could be used by Nazis,” one affected person told NBC News at the time.

The attack reportedly began in April 2023 but went unnoticed for months. It wasn’t until October—when a staff member stumbled across the stolen data being advertised on Reddit—that 23andMe launched an internal investigation. It took until year-end to halt the breach.

By March 2025, the once-pioneering firm—founded in 2006 and long considered the leader in consumer DNA testing—had filed for bankruptcy, its reputation irreparably damaged. The company is now being sold to a non-profit organisation run by co-founder Anne Wojcicki for $305 million (£225 million).

Even as the sale moves forward, scrutiny has intensified. During a fiery US Senate hearing, Senator Josh Hawley accused 23andMe’s interim CEO Joseph Selsavage of lying about user control over genetic data. “You’re not deleting it,” he said. “If you were, your company wouldn’t be worth $300 million.”

Selsavage denied the accusation, insisting that user data is deleted upon request.

Meanwhile, UK cybersecurity expert James Moss of Addleshaw Goddard called the ICO fine “about as serious as it gets,” but noted that an enforcement order—a legally binding requirement to uphold future data protections—is even more consequential.

“In the long run, that notice is arguably more important than the fine,” Moss explained. “It puts them under a continuing legal obligation to protect the personal data of those 150,000 UK citizens.”

Across the Atlantic, 28 US attorneys general have launched a legal action to safeguard user data during the company’s sale, while urging people to delete their information.

23andMe, which had struck over 30 data-sharing deals with pharmaceutical companies like GSK, is now pledging better protections. TTAM, the buyer, has committed to stricter privacy rules, including deletion rights, prior customer notice, and restrictions on future resale.

Affected users will receive two years of free Experian identity monitoring. TTAM also confirmed it would continue to allow de-identified data to be used for academic and biomedical research.

Yet for many, the damage is done.

Solicitor Alex Lawrence Archer from data rights agency AWO believes collective legal action in the UK is overdue. “A fine helps the state, but not individuals,” he said. “Class actions could ensure real redress for victims.”

He also warned future customers to think twice. “Handing over your genetic data is a big step. It’s difficult to undo and shouldn’t be taken lightly.”