Cybersecurity Situation in the UK, June 2025 Regulatory Overview
In a significant enforcement action, the Information Commissioner's Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to protect users' sensitive personal information. The cyber attack in 2023 exposed the data of approximately 155,592 UK users, including names, birth years, race, ethnicity, family trees, and health reports [1][3][5].
The ICO's investigation revealed several shortcomings in 23andMe's security measures. The company had weak password policies, lacking complexity requirements and no verification against known compromised password lists [1][3][4][5]. It also failed to implement additional verification steps such as multi-factor authentication to secure access to raw genetic data and account downloads.
Moreover, insufficient rate-limiting and API security measures allowed attackers to bypass IP-based controls by using rotating IP addresses [1][3][4][5]. The detection and response to the breach were slow, with the full investigation only launched six months after the attack began and only after stolen data appeared for sale on Reddit.
The company was also criticized for its response to the breach, which appeared to blame users for not changing compromised credentials promptly, despite systemic security shortcomings [1][3][4][5].
In response to this incident, the ICO emphasized the importance of robust security measures for companies handling sensitive data, particularly genetic information. The recommendations included enforcing strong password policies, implementing multi-factor authentication, and rigorous access controls [1][4][5]. The ICO also stressed the need for more advanced API security controls, timely detection and prompt response to suspicious activity and data breaches, and international data protection cooperation [1][4][5].
Meanwhile, the Department for Science, Innovation and Technology (DSIT) has published the Cyber Growth Action Plan 2025. This plan aims to analyze the UK's cyber products and services, explore new technologies, and increase cyber resilience in critical sectors [2][4]. The plan is split into four workstreams and will report this summer, feeding into the forthcoming National Cyber Strategy.
Separately, the National Cyber Security Centre (NCSC) has published a set of cyber-security culture principles. These principles are designed to support leaders and cyber-security specialists in creating a resilient and secure organization [3]. The principles were developed through extensive research by the NCSC, industry, and government partners.
The Regulatory Outlook series provides high-level summaries of important forthcoming regulatory developments in various sectors in the UK, including cyber security [4]. The publication of the cyber-security culture principles is not related to the fine imposed on 23andMe by the ICO.
References:
[1] Information Commissioner's Office. (2025). ICO fines 23andMe £2.31 million for failing to protect users' genetic data. Retrieved from https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2025/06/ico-fines-23andme-2-31-million-for-failing-to-protect-users-genetic-data/
[2] Department for Science, Innovation and Technology. (2025). Cyber Growth Action Plan 2025. Retrieved from https://www.gov.uk/government/publications/cyber-growth-action-plan-2025/cyber-growth-action-plan-2025
[3] National Cyber Security Centre. (2024). Cyber-security culture principles. Retrieved from https://www.ncsc.gov.uk/blog-post/cyber-security-culture-principles
[4] Regulatory Outlook. (2025). Cyber Security. Retrieved from https://regulatoryoutlook.org.uk/sectors/cyber-security/
[5] Office of the Privacy Commissioner of Canada. (2024). Joint investigation with the Information Commissioner's Office (ICO) of the United Kingdom into 23andMe's failure to protect users' genetic data. Retrieved from https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/2024/2024_02/
- The ICO's investigation into 23andMe highlighted the need for robust finance and technology practices in businesses, particularly those handling sensitive data, such as genetic information, as the company had several shortcomings in its cybersecurity measures.
- Recognizing the importance of cybersecurity in today's digital business environment, the Department for Science, Innovation and Technology (DSIT) has published the Cyber Growth Action Plan 2025, aiming to increase cyber resilience in critical sectors through advanced technology and research.
