Cyber security | UK Regulatory Outlook June 2025

ICO fines 23andMe £2.3m for failing to protect users' genetic data 

The Information Commissioner's Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a cyber attack in 2023. The fine follows on from the ICO's notice of intent to fine in March that had envisaged a higher fine of £4.59 million. 

The company's platform was hit by a credential stuffing attack in 2023, resulting in unauthorised access to personal information belonging to 155,592 UK residents, including names, birth years, race, ethnicity, family trees and health reports. 

The ICO found that, at the time of the breach, the company had failed to implement adequate security systems to protect this information, in breach of UK data protection law. This included failures to implement: 

• appropriate authentication and verification measures;
• appropriate controls over access to raw genetic data; and
• effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information. 

Aggravating factors in the calculation of the fine included (for further reading on the ICO's fining guidance see our Insight):  

• the deficiencies in the content of the breach reports sent by the company regarding the 2023 data breach;
• the extent of the company's failure to implement appropriate technical and organisational measures;
• 23andMe's "multiple failures" and delay in reviewing and improving its security measures despite growing evidence of a significant risk to customers' personal data;
• the sensitive nature of the personal data affected;
• the distress caused to the affected UK customers (the fine quoted statements from affected customers demonstrating the data breach had caused "significant distress" to some customers); and
• the potential for further "psychological, reputational and financial harm to have been caused by the highly sensitive personal data within 23andMe accounts entering the public domain" and potentially being exploited by hackers. 

The penalty follows a joint investigation with the Office of the Privacy Commissioner of Canada announced in June 2024.  

See also the Data section. 

New cyber-growth action plan 

The Department for Science, Innovation and Technology (DSIT) has published its Cyber Growth Action Plan 2025, which will review the strengths of the country's cyber sector and provide a set of recommendations to government. 

The plan will report this summer with a series of insights for the secretary of state that is expected to feed into the forthcoming National Cyber Strategy. The plan, which is split into four workstreams, aims to analyse the UK's cyber products and services, explore new technologies, identify areas to collaborate and share cyber best practices to increase cyber resilience in sectors critical to UK security, industry and economic growth, and identify opportunities presented by the Cyber Security and Resilience Bill. 

See also the government press release. 

NCSC publishes cyber security culture principles 

The National Cyber Security Centre (NCSC) has launched a set of cyber-security culture principles, which are designed to support an organisation's leaders and cyber-security specialists in creating the right culture for a resilient and secure organisation.  

Developed following extensive research by the NCSC and industry and government partners, the six principles are accompanied by descriptions of scenarios designed to show the consequences of poor security stemming from work culture, and descriptions of best practice to help individuals determine how best to apply each principle within their organisations. 

See the NCSC press release.