23andMe
- Date 5 June 2025
- Type Monetary penalties
The Information Commissioner has fined 23andMe, Inc £2,310,000 for infringements of Articles 5(1)(f) and 32(1) of the UK GDPR between 25 May 2018 and 31 December 2024.
23andMe failed to implement appropriate security measures to protect the personal information of 155,592 UK users, following a large-scale cyber attack in 2023.
The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.