In 2023, 23andMe experienced a data breach that resulted in millions of customers' genetic data being exposed. The attack exposed around 14,000 user accounts and enabled the theft of data on roughly 6.9 million individuals who were listed as relatives on the website.
The stolen data included:
- Names
- Birthdays
- Location
- Profile pictures
- Race
- Health records
- Ethnicity
- Family trees
The investigation into the breach was initiated in June 2024 by the UK's Information Commissioner's Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC). One year later, in June 2025, the investigation ended, and the ICO and OPC issued a £2.31 million ($3.13 million) fine against 23andMe for the "severely harmful breach." 23andMe CEO Anne Wojcicki described the breach as an "online crime of significant proportions".
The ICO also highlighted that there were flaws in 23andMe's security during the time of the breach. There were no security measures in place for multifactor authentication (MFA) or password restrictions. Additionally, 23andMe did not take measures to prevent raw genetic data from being downloaded or accessed, and there were "insufficient systems in place to monitor, detect, or respond to cyber threats against its customers' personal information."
John Edwards, head of the ICO, stated:
The company was also criticized for its delayed acknowledgement of the breach. The breach took place between April and May 2023, but it wasn't discovered until October 2023, when an employee of 23andMe noticed the stolen data being sold on Reddit.