23andMe data breach fine

UK watchdog fines 23andMe £2.3m for ‘profoundly damaging’ data breach

In one of the most significant data protection rulings we’ve seen in recent years, DNA testing company 23andMe has been fined £2.31 million by the UK’s Information Commissioner’s Office (ICO).

The fine follows a major data breach in 2023 that exposed deeply personal details of over 155,000 UK residents – and millions more worldwide.

The verdict? 23andMe simply didn’t do enough to protect people’s sensitive data.

What went wrong?

Back in 2023, hackers launched a “credential stuffing” attack. That’s when cybercriminals use stolen login details from one site to break into accounts on another – something that works all too often when people reuse passwords.

This allowed the attackers to access around 14,000 23andMe accounts directly. But because the site links users to genetic relatives, they were able to scrape data connected to nearly seven million people in total.

A warning ignored

The ICO was clear: the breach wasn’t just unfortunate, it was preventable. 23andMe failed to put basic protections in place, like multi-factor authentication or stronger password rules.

They didn’t spot the warning signs, and they didn’t act fast enough to fix the problems.

As Information Commissioner John Edwards put it: “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

What happens now?

The company has since filed for bankruptcy and 23andMe is being sold to a new owner, TTAM Research Institute, who say they’re committed to doing better. Promises have been made to improve data protection and give users more control, including the right to delete their data and opt out of research.

Can you claim compensation for the 23andMe data breach? 

At Join the Claim, we believe strongly in holding companies accountable – especially when it comes to something as personal as your genetic data. This breach isn’t just about sloppy IT practices. It’s about trust, transparency, and the responsibility companies have to protect their users. Because once private information is out in the world, there’s no getting it back.

Despite 23andMe filing for bankruptcy, lawyers in the UK are still pursuing the company in a group action data breach claim.

Find out more

Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.  

This information is for general guidance only and does not constitute legal or financial advice.

You may also like:

  • Environment, News, Vehicle

Can BMW drivers claim compensation for the diesel emissions scandal?

BMW faces legal action over emissions-cheating software. Learn what the scandal involves, who is affected, and what it means for UK diesel car owners.
  • Data Breach, Financial, News

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.
  • News, Vehicle

Jaguar Land Rover DPF claims vs. dieselgate: What you need to know

Confused about Jaguar Land Rover DPF claims vs. Dieselgate? Learn the key differences, legal actions, and how to check if you qualify for compensation.

Latest news & insights

Close-up of a person using a smartphone with the ChatGPT app open.
Are ChatGPT conversations appearing in Google search results? Here’s what we know.
Reports claim ChatGPT conversations are appearing in Google search results. We examine what's really happening.
Woman holding iPhone with logo of application Booking.com on the screen, using mobile application
Booking.com faces proposed £2 billion consumer claim over hotel prices
A proposed £2 billion claim alleges Booking.com's pricing practices inflated hotel costs for millions of UK travellers. Here's what we know so far.
Warning to supermarket store workers: If you want equal pay compensation, you’ll need to claim it!
Many UK supermarket workers are confused about equal pay claims. Learn why backpay isn’t automatic and what opt-in group actions really mean.
Close-up of the NHS - National Health Service logo on the exterior of St. Thomas Hospital in London, UK
What is the NHS Single Patient Record, and why is it being debated?
Plans for a NHS Single Patient Record moved a step closer last week. But there are important questions about privacy & data security.
Teenagers with smartphones on social media near white wall indoors
Social media is facing growing scrutiny. Here’s why.
Explore the growing debate around social media safety, online harms, platform accountability, child safety, addictive features and digital rights.
An expert hacker is decrypting data while hiding their face
Hackers are changing tactics – and it could mean more data breaches
Hackers are increasingly exploiting software vulnerabilities rather than stealing passwords. Here's what that could mean for UK consumers.
Managing the validity of digital document checklists
New data complaint rules are coming in June 2026
New data protection complaint rules take effect on 19 June 2026. Find out what organisations must do and what the changes mean for consumers.
Hand holding a digital ID card with user profile symbol.
Digital ID plans move into next phase — but key questions remain
The government's digital ID plans have entered a new phase with the launch of a 120-member People's Panel. 
Text STUDENT LOAN visible through magnifier, money and stack of books on light table against blackboard
Why plain English matters in financial agreements
A new parliamentary inquiry found thousands of graduates did not properly understand their student loan terms. Here’s why plain English matters in financial products and legal agreements.
Woman is shocked from the rising energy costs and the bill she received for heat and electricity for her household.
UK energy bills to rise again as Iran conflict hits gas prices
UK household energy bills are set to rise by 13% from July 2026 after global gas prices surged during the Iran conflict. Here’s what it could mean for households.
Black British passport on UK Union Jack flag close up
UK visa portal data leak exposes passports and personal documents 
Thousands of passport scans and personal documents were reportedly exposed online after a third-party UK Visa Portal website left files publicly accessible.
boy scrolling through social media on his mobile phone
Is social media the next “big tobacco”?
The UK government is considering tougher social media restrictions for children. Could this lead to large-scale legal claims against tech platforms?
What we’ve been working on at Join the Claim in May
A round-up of what we’ve been working on in May at Join the Claim, including claims to watch, legal developments and practical consumer guides.
A business person using laptop with visual screen Scam Alert warning sign for scams with icons
Scam alert update: May 2026
Stay alert this May with the latest scam warnings from Join the Claim
Office, serious and business woman on laptop for class actions
Could opt-out class actions expand in the UK? What consumers need to know
The UK is reviewing whether opt-out class actions could expand beyond competition law. Here’s what the proposed reforms could mean.
View all news

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the Claim is a trading name of Join the Claim Limited, authorised and regulated by the Financial Conduct Authority (FRN: 1053404). Registered in England and Wales, Company No: 16245278. Registered office: 32 Eyre Street, Sheffield, S1 4QZ.

© Join the Claim All Rights Reserved |

2026
Go to claims