The dramatic increase in global reach that the internet provides U.S.-based companies comes as a double edge sword. While it significantly increases a company’s potential customer pool, it also subjects companies to international regulatory requirements designed to protect data subjects. Companies should be aware of and tailor a compliance framework across jurisdictions to avoid potentially significant liability.
For example, many U.S. companies model international compliance based on EU and UK GDPR concepts. The UK Information Commissioner’s Office (“ICO”) recently imposed a monetary penalty against 23andMe, Inc., an American company incorporated in California, which emphasizes the importance for U.S. companies to evaluate global compliance risk as failure to do so can lead to serious consequences. This breakdown of the ICO’s penalty notice highlights lessons for U.S. companies regardless of industry.
ICO Penalty Notice
On June 5, 2025, the ICO issued a significant monetary penalty notice against 23andMe, imposing a fine of £2.3 million (roughly $3.1 million USD) for serious violations of the UK General Data Protection Regulation. This enforcement action, which followed a joint investigation with the Office of the Privacy Commissioner of Canada, was prompted by a significant data breach that compromised the personal and special category data of 150,000 UK data subjects.
Nature and Scope of the Data Breach
23andMe is a global provider of genetic testing services. It provides services to consumers to map their DNA and then match their genetic data to others so consumers can track their ancestry and identify their family tree.
The reported compromise of 23andMe's systems happened in 2023 and was caused by a credential stuffing attack, in which attackers used usernames and passwords (previously compromised in unrelated data breaches) to attempt logins on the 23andMe platform. Around 300,000 login attempts were made, resulting in the compromise of 611 customer accounts. Due to the interconnected nature of 23andMe’s genetic matching services (such as ancestry searches and family trees), access to a single account revealed information about multiple individuals. As a result, the attacker was able to download from those accounts data relating to approximately 150,000 UK individuals.
Two UK individuals had their raw genetic data exfiltrated using a function built into the customer accounts that allowed the customer to download their own data. Even where raw genetic data was not stolen, the ICO found that the confidentiality and integrity of the raw genetic data associated with the 611 breached accounts was compromised.
Beyond the raw genetic data, the broader compromised dataset (such as ancestry reports and family trees) included, or impliedly revealed, sensitive data such as race, ethnicity, and health status of approximately 150,000 people. This data constituted special category data under Article 9 of the UK GDPR (also sensitive personal data under comprehensive U.S. state privacy laws).
Regulatory Findings
The ICO noted that 23andMe failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in breach of Articles 5(1)(f), 32(1)(b), and 32(1)(d) of the UK GDPR. The ICO found the company’s security posture to be inadequate, particularly given the high sensitivity of the data it processed.
The ICO investigation determined 23andMe’s password policies were weak, with insufficient requirements for complexity or length, and no checks were undertaken against known compromised password lists. Customers were not provided with adequate guidance on creating strong passwords at the point of account creation. The use of email addresses as usernames was also criticized, as it increased the risk of successful credential stuffing attacks. Multi-factor authentication (MFA) was offered by 23andMe but not mandated, a decision the ICO found unacceptable given the high-risk nature of the data involved. Despite 23andMe’s claim that mandatory MFA would be difficult for users, particularly those who are older and vulnerable and lacking in basic digital skills, the ICO signaled that MFA should be a mandatory requirement for all online accounts.
There was no device fingerprinting in place, meaning customers could not restrict access to their trusted devices. Nor were customers notified when their accounts were accessed from new devices or IP addresses, and they were not given access to their own login histories so they could not check for unauthorized logins.
23andMe had not conducted breach simulations or penetration tests specifically targeting credential stuffing, even though this was a well-known risk (and the tests it did undertake were undocumented – which the ICO found was a failure in itself).
Critically, no additional verification steps were required before a customer downloaded their raw genetic data, despite the high sensitivity of such information. Furthermore, defective IP address logging meant it was impossible to determine with certainty (after the data breach) whether raw genetic data downloads were from legitimate customers or malicious IP addresses.
Early Warning Signs Missed
The ICO noted that 23andMe missed several early warning signs that they had been compromised in the months before the main attack occurred. Notably, the ICO found a breach of Article 32(1)(d) UK GDPR, which requires organizations to have processes in place to continuously monitor and evaluate the effectiveness of security measures.
Among the missed indicators highlighted by the ICO were a large spike in failed login attempts—typical of credential stuffing attacks—which went undetected. The company also identified approximately 400 suspicious earlier attempts to transfer customer account data and required those customers to reset their passwords but did not conduct a broader investigation to determine whether that issue was reflective of underlying systemic risk.
Additionally, messages were sent to 23andMe’s former CEO claiming that the data of 10 million individuals had been stolen. Similar claims were posted on social media and dark web forums. 23andMe saw these warnings but did not further investigate and instead dismissed them as hoaxes.
Incident Response and Notification
The ICO also found that 23andMe’s response to the breach was unacceptably slow, noting that it took the company four days (after discovering the breach) to shut down compromised accounts and force a password reset for all customers. Even more concerning, customers were still able to access and download their raw genetic data for nearly a month after the breach was identified without any additional security controls being put in place. Notification to the ICO was delayed by ten days, exceeding the 72-hour requirement under Article 33. However, the ICO did not treat this as a breach of the UK GDPR, acknowledging the global nature of the incident and the time required to determine whether customers in each jurisdiction were impacted.
The notifications sent to affected data subjects were also found to be defective. ICO stated the notices failed to specify the period during which the breach occurred, did not disclose that raw genetic data may have been at risk, and omitted any guidance on the potential consequences for individuals.
Cooperation with the ICO
Although the ICO ultimately chose not to treat 23andMe’s limited cooperation as an aggravating factor—largely due to the company’s financial distress and related loss of key personnel —the regulator expressed dissatisfied with the level of engagement, highlighting that the company failed to provide information in the requested format, missed deadlines, and seemed to prioritize responses to US regulators. Some of the information provided was insufficiently detailed, and at times inaccurate and required substantial revision. There were also delays in disclosing key facts including the risk to raw genetic data; the existence of threatening messages sent to the former CEO which were sent by the attacker; and the defects in IP logging. The findings emphasize the importance of timely cooperation in the event of a regulatory investigation, including making key staff and information available, in the form and manner requested.
Regulatory Process and Penalty
The ICO’s thorough investigation included interviews with 23andMe personnel, an oral submissions hearing (which is very rare), and the collection of evidence from affected individuals on the harm (distress) they suffered. The penalty notice is one of the most comprehensive and detailed enforcement documents issued by the ICO to date, spanning 150 pages.
Ultimately the ICO concluded that the infringements of the UK GDPR had a "high degree of seriousness" and warranted a penalty of up to 60% of the statutory maximum. The final penalty was significantly reduced to £2.3m in light of 23andMe’s distressed financial position (the company filed for Chapter 11 bankruptcy in March 2025).
The ICO also considered imposing an enforcement notice compelling 23andMe to implement corrective measures, but was persuaded that these had already been adopted so dropped that enforcement element.
Observations and Key Takeaways for Cybersecurity
The ICO has focused on several new angles of enforcement considerations that presumably will also be considered in any future data breach investigations. Organizations should evaluate operational, administrative, and technical safeguards to ensure alignment with these noted security considerations. If any measures are considered not appropriate to the risk, the rationale should be documented in writing to memorialize the reasons for that conclusion. In light of the issues identified by the UK Information Commissioner’s Office organizations should also consider implementing the following:
- Implement MFA controls and require MFA for online accounts, particularly for services that involve sensitive personal data or special categories of data. The ICO notice comes close to expressly stating that MFA is a mandatory requirement for all online accounts This is in line with other recent public statements by the ICO, indicating a zero-tolerance approach to the absence of MFA.
- Require unique usernames rather than email addresses. Although not yet an absolute requirement, it is clear that the ICO looks positively on this security measure.
- Provide guidance (and forced requirements) on creating strong passwords at the time of account creation.
- Undertake specific data breach simulations or penetration tests for each type of material risk vector faced by an organization, which may require multiple simulations / tests each year. Equally important, organizations should take timely action to remediate any perceived vulnerabilities or enhancement opportunities identified in such tests.
- Provide users with warnings when new devices are used to access their accounts or functionality for users to view such information.
- Provide users with their account usage history so they can check for unauthorized access.
- Accurately log IP addresses associated with account activity to enable the ability to conduct an effective post-incident investigation.
- Complete a risk-assessment of security events to identify in each instance potential indications of a wider problem (and recording the outcome of that assessment, such as on the security event ticket).
- Ensure the wording of data subject notifications is complete and accurate, fairly describes the risks to data subjects, and meets all the prescriptive requirements of Article 34 UK GDPR, to reflect that such notification may come under greater scrutiny.
[View source.]
