23andMe Inc – €2,702,700 Fine (United Kingdom, 2025)

23andMe is a US based consumer genetics and research company. It offers customers (data subjects) a genetic testing service by analysing a DNA sample provided by them to identify, among others, their ancestry composition, DNA relatives and health predispositions. To view and download the results of their DNA analysis (raw genetic data) customers must create an account. Between 25 May 2018 and 31 December 2024, a threat actor was able to perpetrate a credential stuffing attack and obtain access to personal data relating to 155,592 UK-based customers of 23andMe. Some of the data constituted special category personal data relating to health and genetic data, as well as data relating to the racial or ethnic origin. In August and October 2023, the personal data exfiltrated by the threat actor was offered for sale on a number of online forums. 23andMe became aware of the data breach in October 2023 and notified the DPA (Information Commissioner's Office-ICO). In June 2024, the DPA informed 23andMe of the launch of investigation into the data breach. First, the DPA found that 23andMe infringed Article 5(1)(f) and Article 32(1)(b) UK GDPR, by failing to implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and services including by failing to implement: i. appropriate authentication and verification measures as part of its customer login process, including, but not limited to, multi-factor authentication, secure password requirements, unpredictable usernames, or other measures recognised as effective defences against credential stuffing attacks; ii. additional appropriate security measures specifically focused on the access to and download of raw genetic data, despite the fact that genetic data is special category data by virtue of Article 9(1) UK GDPR and therefore merits specific protection. iii. measures which enabled 23andMe to monitor for, detect an