A serious warning for companies handling personal data – especially those working towards Cyber Essentials Plus compliance.
The UK’s Information Commissioner’s Office (ICO) has fined DNA testing firm 23andMe £2.3 million following a serious cyberattack that exposed sensitive personal data from nearly 7 million users globally – including 150,000 in the UK.
The breach exploited a basic security gap that’s still common across many businesses today: the absence of multi-factor authentication (MFA).
What happened in 23andMe data breach?
In October 2023, attackers gained access to user accounts using a technique known as credential stuffing – reusing usernames and passwords leaked from other breaches. Once inside, they extracted sensitive information including:
- Full names and postcodes
- Health reports
- Ancestry data
- Family tree connections
The stolen data wasn’t made public until it appeared for sale online. By that point, the damage was done.
The ICO criticised 23andMe’s delayed response and its failure to implement fundamental protections like multi-factor authentication (MFA).
Why this matters to UK businesses
This isn’t just a story about a DNA company – it’s a wake-up call for any organisation managing sensitive, personal, or regulated data.
Here’s why:
- Some data – like health or genetic information – cannot be changed once leaked.
- Regulators are more likely to issue fines if simple preventative measures like MFA are missing.
- Data Breaches can result in huge fines
- Damage to reputation, client trust, and operations can be immediate and long-lasting.
If you store client data, operate cloud-based services, or manage remote access systems, the 23andMe case offers a clear message: strengthen your security now or risk paying the price later.
MFA: a simple, powerful step with major impact
MFA significantly reduces the risk of account breaches, even when passwords are compromised. It adds a second layer of verification – such as an app prompt or hardware token – that stops unauthorised logins.
Attackers rely on the absence of MFA to make credential-stuffing and phishing campaigns work. Enabling MFA across all user and admin accounts is one of the most effective steps a company can take to improve its cyber security posture.
Cyber Essentials Plus: MFA is now mandatory
If you’re working towards Cyber Essentials Plus certification, MFA is no longer optional. It’s a requirement – and auditors will check it’s in place.
Under the latest standard, you must:
- Enable MFA on all externally accessible systems
- Include MFA on administrator accounts and cloud services
- Apply MFA to all remote access and VPN connections
- Prove it with technical documentation and testing during the audit
What your business should do now
| Action | Why it matters |
|---|---|
| Audit your systems | Identify gaps and confirm MFA is active across user and admin accounts |
| Upgrade your approach | Use authentication apps or hardware tokens instead of SMS. |
| Build it into onboarding | New accounts should have MFA enabled by default |
| Train your team | Everyone should understand how and why to use MFA |
| Document your controls | Get prepared for Cyber Essentials Plus with detailed, audit-ready documentation |
How Dr Logic can support you
As an IT partner for security-focused businesses, we help organisations implement MFA the right way – from strategy to certification.
- We run comprehensive MFA assessments to identify gaps.
- We implement and configure reliable MFA tools suited to your environment.
- We support you with Cyber Essentials Plus compliance, including technical documentation and audit preparation.
- We train your staff so they’re confident and compliant from day one.
Final word
The £2.3 million fine handed to 23andMe shows how costly it can be to skip the basics. MFA is more than a best practice – it’s an essential layer of protection, a trust signal for clients, and a must-have for certification.
If you’re not sure your MFA is doing its job – or need help getting audit-ready – we’re here to help.
