Genetic testing company 23andMe has been fined by the UK’s ICO for £2.31 million for failing to protect UK users’ sensitive data, including ancestry details and raw genetic information.
What went wrong? Hackers used credential stuffing such as weak passwords to break into nearly a million UK accounts. 23andMe had been warned but didn’t implement key safeguards like two-factor authentication.
🧬 The Privacy Breakdown:
☝️ Negligent Security – No 2FA, despite handling special category data.
☝️ Sensitive Exposure – Genetic data is permanent; you can’t change your DNA like a password.
☝️ Ignored Warnings – ICO says 23andMe knew the risks.
This breach is a wake-up call for any business handling biometric or health data. Are your “privacy by design” claims backed by actual security?
What’s your take?
