23andMe Holding Co., $2,315,000
Genetic-testing company 23andMe suffered a credential-stuffing breach exposing genetic and ancestral data of 6.9 million users. UK ICO imposed a £2.31M penalty; US multi-state actions followed.
Case identifiers
- Respondent
- 23andMe Holding Co.
- Agency
- UK ICO + multi-state AG settlement
- Announced
- 2025-06-02
- Monetary relief
- $2,315,000
- Statutes cited
- UK GDPR · Data Protection Act 2018 · State UDAP laws
Key facts
- 1
2023 credential-stuffing attack compromised 14,000 accounts and via DNA-relative features exposed data on 6.9 million users.
- 2
Stolen data included family relationships, ethnicity estimates, and genetic health risk reports.
- 3
ICO found 23andMe did not have sufficient authentication controls or monitoring.
- 4
23andMe subsequently filed for Chapter 11 in March 2025; genetic data privacy remains a central issue in the bankruptcy.
Primary sources
Read the original government documents. These are the authoritative records, everything on this page is derived from them.
- UK ICO + multi-state AG settlement press releasehttps://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/ico-issues-notice-of-intent-to-fine-23andme
Exercise your rights now
Generate a deletion request for $5
The multi-state order binds 23andMe Holding Co.'s future practices, but doesn't automatically delete your existing data. State privacy law (CCPA, CPA, TDPSA, VCDPA) gives you that right. OfflistMe generates a compliant deletion email pre-addressed to 23andMe Holding Co.'s registered privacy contact.
Start for $5 →FAQ
What did the multi-state charge 23andMe Holding Co. with?+
Genetic-testing company 23andMe suffered a credential-stuffing breach exposing genetic and ancestral data of 6.9 million users. UK ICO imposed a £2.31M penalty; US multi-state actions followed. The UK ICO + multi-state AG settlement cited UK GDPR, Data Protection Act 2018, State UDAP laws.
How much did 23andMe Holding Co. pay?+
23andMe Holding Co. paid $2,315,000 in monetary relief, announced on 2025-06-02. The settlement also imposed injunctive terms (see below).
Does the 23andMe Holding Co. settlement mean my data has been deleted?+
No, the order does not automatically delete your data. You retain full rights under state privacy law (CCPA, CPA, TDPSA, VCDPA, and others) to submit your own deletion request. OfflistMe can generate a compliant deletion email pre-addressed to the respondent’s privacy contact.
How can I read the original multi-state order?+
The UK ICO + multi-state AG settlement press release is available at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/ico-issues-notice-of-intent-to-fine-23andme.