The 23andMe data breach has caught the attention of the privacy community as a clear and stark reminder of the damage that can be caused by a data breach. On 17 June 2025, the UK Information Commissioner’s Office (ICO) announced a revised fine of £2.31 million to be imposed on the prominent consumer genetics company(1) following a data breach that exposed sensitive genetic and health information of over 150,000 UK customers (and many more individuals globally).

This is a revision of the ICO’s notice of intent to fine in March which stated a provisional penalty of £4.59 million.(2) 23andMe’s current administration status(3) was considered significant and resulted in a reduction of the financial penalty.