British and Canadian regulators have stressed that 23andMe’s Chapter 11 bankruptcy proceedings do not protect it from data protection investigations.
Shutterstock.com/Dmitrii Shirinkin
The UK Information Commissioner’s Office (ICO) fined 23andMe £2.3 million today over a data breach that exposed 7 million users’ personal data, including genetic information, following a joint investigation with Canada’s federal Office of the Privacy Commissioner.
In March 2025, a day after 23andMe filed for bankruptcy, the ICO said it planned to fine the company nearly £5 million. The regulator has routinely reduced penalties it has proposed in its notices of intent to fine since the introduction of the GDPR after receiving defendants' submissions.
ICO GDPR-era planned fine reductions
| Controller | Draft fine | Final fine | Percentage reduction | Date issued |
| Doorstep Dispensaree | £400,000 | £275,000 | -31% | December 2019 |
| Marriott | £99,200,396 | £18,400,000 | -81.45 | October 2020 |
| British Airways | £183,390,000 | £20,000,000 | -89.09 | October 2020 |
| Ticketmaster | £1,500,000 | £1,250,000 | -17% | November 2020 |
| Mermaids | Unknown | £25,000 | July 2021 | |
| HIV Scotland | Unknown | £10,000 | October 2021 | |
| Tuckers Solicitors | Unknown | £98,000 | March 2022 | |
| Tavistock & Portman NHS Trust | £784,400 | £78,400 | -90% | June 2022 |
| Easylife | Unknown | £1,480,000 | October 2022 | |
| Interserve | Unknown | £4,400,000 | October 2022 | |
| Cabinet Office | £600,000 | £500,000 | -17% | November 2022 |
| TikTok | £27,000,000 | £12,700,000 | -53% | April 2023 |
| Ministry of Defence | £1,000,000 | £350,000 | -65% | December 2023 |
| Police Service of Northern Ireland | £5,600,000 | £750,000 | -87% | October 2024 |
| Advanced Computer Software Group | £6,090,000 | £3,076,320 | -49% | March 2025 |
| DPP Law | £60,000 | £60,000 | No change | April 2025 |
| 23andMe | £4,593,750 | £2,310,000 | -50% | June 2025 |
During a press conference the two regulators held today, UK Information Commissioner John Edwards said 23andMe didn’t take the necessary cybersecurity steps to mitigate the impact of the 2023 data breach.
“23andMe failed to take basic steps to protect people’s information,” Edwards said. “Their security systems were inadequate, the warning signs were there and the company was slow to respond. This left people’s most sensitive personal data vulnerable to exploitation and harm.”
According to the ICO’s monetary penalty notice released today, it took 23andMe four days after verifying the data breach to mandate a password reset for all customers, among other alleged shortcomings.
Canada’s Privacy Commissioner Philippe Dufresne also said 23andMe’s cybersecurity practices prior to the data breach were lacklustre.
“Organisations must also take proactive steps to protect against cyberattacks,” Dufresne said today. “Those include using multifactor authentication, strong minimal password requirements, compromised password checks and adequate monitoring to detect abnormal activity. . . . Our investigation found that these types of security measures were not in place at 23andMe that enabled a hacker to carry out a credential-stuffing attack.”
Dufresne noted 23andMe is in the process of implementing some of the Canadian privacy commission’s data recommendations. The regulator lacks powers to issue binding decisions.
“Certainly we’ve made recommendations in this investigation, the organisation has taken steps to address some of our recommendations. As a result, we have found it was substantiated but resolved in terms of the measures taken,” he said.
Dufresne said the 23andMe data breach is the latest example of why the Office of the Privacy Commissioner of Canada should have the authority to directly issue fines and orders.
“I hope, and expect, this new Parliament will be turning its attention to remedying this and giving us the ability to issue orders and fines. You can see in a case like this, in terms of cybersecurity, in terms of things where time is of the essence, where there are real consequences – there is a real gap. That being said, that is one of many reasons why we are leveraging international collaboration with partners around the world, and also around Canada, so we can maximise our impact. I will continue to use all the tools I have but I need more and better ones,” Dufresne said.
Dufresne noted that his agency is seeking to impose binding measures on Aylo, the owner of PornHub.
Ongoing scrutiny
Dufresne and Edwards said their agencies will be keeping a close eye on 23andMe as it continues its bankruptcy proceedings, and potentially sells its users’ personal data and other assets. Both said their jurisdictions’ laws and other requirements apply to 23andMe under any new ownership.
“We indicated in the report that we will be following this [bankruptcy] closely and the new obligations should continue to apply to any new owner,” Dufresne noted.
Edwards added: “Any potential buyer of 23andMe must comply with UK law when processing personal data relating to its customers in the UK.”
In May 2025, the ICO and the Office of the Privacy Commissioner of Canada sent a letter to the US Trustee to highlight their data protection concerns regarding 23andMe’s bankruptcy proceedings. The company’s bankruptcy and its announcement that it may sell users’ personal data has also sparked widespread concern from US regulators.
23andMe co-founder and former chief executive Anne Wojcicki and interim chief executive Joseph Selsavage were grilled by the US Congress last week about the potential data privacy implications of the company selling millions of Americans’ personal data. 23andMe last weekend said Wojcicki would be purchasing the company.
Counsel to 23andMe
UK
Greenberg Traurig