Canada: UK Information Commissioner’s Office fined 23andMe GBP 2.31 million following joint investigation with Office of the Privacy Commissioner of Canada regarding compliance with cybersecurity regulations

On 17 June 2025, the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) concluded their joint investigation into 23andMe’s compliance with cybersecurity regulations, following a data breach reported in October 2023. The investigation found that 23andMe failed to implement effective breach prevention mechanisms. It did not require multi-factor authentication, had inadequate minimum password standards, and failed to check whether users’ credentials had been previously compromised. Additionally, the most sensitive personal information was not placed behind additional protective measures. Notably, three distinct events could have enabled the company to detect the attack earlier and potentially prevent thousands of accounts from being accessed. The investigation also highlighted delays in mitigation, 23andMe took four days to implement a password reset despite becoming aware of the attack. As a result, the ICO imposed a fine of GBP 2.31 million on 23andMe for failing to protect the personal information of UK users. The findings are provisional and remain subject to representations from the company, including on the proposed penalty’s affordability. The ICO also noted that it is monitoring 23andMe’s Chapter 11 bankruptcy proceedings in the United States and that the company remains subject to its obligations under the UK General Data Protection Regulation (UK GDPR).