DNA testing company 23andMe faces a £2.3 million fine from the UK’s Information Commissioner’s Office (ICO) after a large 2023 data breach exposed sensitive personal information of over 150,000 UK customers. Meanwhile, former CEO Anne Wojcicki is set to regain control of the company after winning a $305 million bid in a U.S. bankruptcy auction. This moment marks a turning point for 23andMe as it navigates privacy challenges and ownership changes.
What’s Happening & Why This Matters
23andMe, known for its popular saliva-based DNA testing kits priced around £89, offers users insights into their ancestry, health, and ethnicity. However, the company’s security faltered in 2023 when hackers accessed family trees, health reports, names, and postcodes of UK users. The breach compromised data from roughly 7 million customers worldwide.
The ICO found that 23andMe failed to adequately protect users’ accounts. Attackers exploited password reuse vulnerabilities through “credential stuffing,” an automated method where stolen passwords from unrelated breaches are tested to gain access. The company delayed responding to the breach, only confirming it months later when an employee spotted stolen data for sale on Reddit.
John Edwards, the UK Information Commissioner, called the incident “profoundly damaging.” He said, “Once this information is out there, it cannot be changed or reissued like a password or credit card number.” The breach put people’s most sensitive information, including family history and health data, at risk of misuse.
Following the breach, 15% of 23andMe’s customers requested account closures. Privacy advocates urge users to demand the deletion of their genetic data to safeguard their identity.
The fine is part of a pattern of ICO enforcement actions targeting data protection failures. Previous fines include £4.4 million against construction firm Interserve and nearly £3.1 million against NHS IT supplier Advanced Computer Software Group for exposing sensitive staff and patient data.
Parallel to the fine, Anne Wojcicki’s nonprofit, TTAM Research Institute, placed the winning bid of $305 million to take 23andMe private in bankruptcy court. Wojcicki had previously attempted multiple buyouts. The deal is scheduled for a court hearing on June 17. TTAM commits to maintaining current privacy policies, complying with data protection laws, and not selling genetic data after acquisition. It also promises two years of free identity theft monitoring for customers.
New York and over two dozen U.S. states recently sued 23andMe to block the sale of customer data, highlighting the legal complexities in genetic data ownership during bankruptcy.
Wojcicki’s return could steer 23andMe toward reinforcing security and regaining customer trust. Her leadership focuses on responsible data handling and research ethics.
TF Summary: What’s Next
The ICO’s £2.3 million fine serves as a wake-up call for 23andMe’s data security practices. As Anne Wojcicki regains control, the company faces pressure to strengthen protections and reassure customers. Data privacy will remain a core challenge as genetic testing continues to grow.
The court ruling on the acquisition and ongoing legal battles in the U.S. will determine 23andMe’s path — affecting how sensitive genetic data is managed — globally.
— Text-to-Speech (TTS) provided by gspeech