Womble Perspectives
Welcome to Womble Perspectives, where we explore a wide range of topics from the latest legal updates to industry trends to the business of law. Our team of lawyers, professionals and occasional outside guests will take you through the most pressing issues facing businesses today and provide practical and actionable advice to help you navigate the ever-changing legal landscape. With a focus on innovation, collaboration and client service, we are committed to delivering exceptional value to our clients and to the communities we serve.
Womble Perspectives
When Data Gets Personal: The 23andMe Breach
On June 5, 2025, the UK’s Information Commissioner’s Office, or ICO, issued a £2.3 million fine—about $3.1 million U.S.—against California-based genetic testing company 23andMe. The reason? A serious data breach that exposed the sensitive personal data of 150,000 UK individuals.
Let’s unpack what happened—and why it matters far beyond the biotech sector.
Read the full article: The ICO’s Penalty Against 23andMe Brings New Emphasis on Cybersecurity Risks – Key Takeaways for U.S. Companies
About the authors
Welcome to Womble Perspectives, where we explore a wide range of topics, from the latest legal updates to industry trends to the business of law. Our team of lawyers, professionals and occasional outside guests will take you through the most pressing issues facing businesses today and provide practical and actionable advice to help you navigate the ever changing legal landscape.
With a focus on innovation, collaboration and client service. We are committed to delivering exceptional value to our clients and to the communities we serve. And now our latest episode.
In today’s episode of Womble Perspectives, we’re diving into a case that’s making waves in the cybersecurity and privacy landscape—especially for U.S. companies with global reach.
On June 5, 2025, the UK’s Information Commissioner’s Office, or ICO, issued a £2.3 million fine—about $3.1 million U.S.—against California-based genetic testing company 23andMe. The reason? A serious data breach that exposed the sensitive personal data of 150,000 UK individuals.
Let’s unpack what happened—and why it matters far beyond the biotech sector.
23andMe offers DNA testing services that help users trace ancestry and build family trees. But in 2023, the company fell victim to a credential stuffing attack—where hackers used previously leaked usernames and passwords to access user accounts.
Out of 300,000 login attempts, 611 accounts were compromised. But because of how 23andMe’s platform connects genetic data across users, those 611 breaches exposed information about 150,000 people. That included not just ancestry data, but sensitive details like race, ethnicity, and even health status.
Two users even had their raw genetic data downloaded—using a built-in feature that didn’t require any extra verification.
The ICO’s investigation was scathing. It found that 23andMe had weak password policies, didn’t require multi-factor authentication, and failed to monitor for suspicious activity. There were no alerts for logins from new devices, no device fingerprinting, and no way for users to view their own login history.
Even worse, the company missed early warning signs—like spikes in failed login attempts and direct messages from attackers claiming to have stolen data. Instead of investigating, 23andMe dismissed them as hoaxes.
The ICO also criticized the company’s slow response. It took four days to shut down compromised accounts and nearly a month to restrict access to raw genetic data. Notifications to affected users were vague and incomplete. And while the company did eventually cooperate with regulators, the ICO noted delays, inaccuracies, and a lack of urgency.
The result? One of the most detailed enforcement actions the ICO has ever issued—150 pages long—and a fine that could have been much higher if not for 23andMe’s financial distress. The company filed for Chapter 11 bankruptcy in March 2025.
So, what can other companies learn from this?
The ICO’s message is clear: if you handle sensitive data—especially genetic or health-related—you need to go above and beyond on security. That means:
• Mandating multi-factor authentication.
• Avoiding email addresses as usernames.
• Running regular breach simulations.
• Giving users visibility into their account activity.
• And documenting your decisions when you choose not to implement a security measure.
This case is a wake-up call for U.S. companies operating globally. GDPR isn’t just a European issue—it’s a global standard. And regulators are watching.
Thank you for listening to Womble Perspectives. If you want to learn more about the topics discussed in this episode, please visit The Show Notes, where you can find links to related resources mentioned today. The Show Notes also have more information about our attorneys who provided today's insights, including ways to reach out to them.
Don't forget to subscribe via your podcast player of choice so that you never miss an episode. Thank you again for listening.