The ICO has fined genetic testing company 23andMe £2.31 million. It is related to a data breach that impacted the data of 155,592 UK users. The company failed to prevent a credential stuffing attack that allowed user data to be accessed and stolen. While the credentials were not stolen from 23andMe, it had no effective security to prevent such a basic level of attack.
John Edwards, UK Information Commissioner, said, “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
What happens now?
That’s an interesting question. 23andMe filed for bankruptcy due to the breach and other financial pressures. On 19th May 2025, a US biotech company, Regeneron, claimed it had an agreement to buy the assets for $256 million. That deal included the prize of the Personal Genome Service (PGS).
However, on 13th June 2025, former CEO and co-founder Anne Wojcicki upended that deal. She announced that a newly created non-profit, the TTAM Research Institute, wholly owned by her, had acquired the 23andMe assets. The price was $305 million, $49 million above the Regeneron offer. It ensures the company returns to her control, but raises a number of issues.
The first is why the court reopened the bidding? There is no information on this. It is highly unlikely that Regeneron would have announced a deal without believing it had won.
The second goes to trust. Given the problems that occurred under Wojcicki’s previous management of 23andMe, why would users trust her to manage their data? Additionally, with over 2 million former customers asking for their data to be deleted, what controls will the court require to ensure this happens?
The third is around regulatory fines and court cases? Will TTAM pay the ICO fine? What happens to court cases involving individuals over the loss of their data? Will Wojcicki use TTAM to sidestep all of this? This is something the court will need to decide on, presumably as part of the asset acquisition.
Fourth, what is the TTAM business model? It is a non-profit, so how will it seek to monetise the genome data, and what will it do with any money it makes?
Enterprise Times: What does this mean?
The ICO fine is surprisingly low, presumably because the ICO based it on the bankruptcy state of 23andMe. Whether it will get paid is another matter. We won’t know that for a while. It will be interesting to see how it now monitors TTAM and if it requires it to establish better cybersecurity controls on user data.
Beyond that, this shows the value of genome data. That Wojcicki was able to purchase the assets of a company once valued at $6 billion while she was at the helm, but then went bankrupt, will raise eyebrows. Many will want to see the finer details from the court as to what this means over the debts and court cases against 23andMe.
Of equal interest will be what TTAM announces as its business model. The website is just a single page with a link to subscribe, but no details as to what you are subscribing to.
As many companies have shown, users have short memories when it comes to data breaches. In the end, user apathy and unawareness might just be the thing that enables 22andMe to make money and settle its debts.
