UK Biobank Breach Exposes 500,000 Records On Alibaba

The medical data of half a million British citizens was listed for sale on the Chinese e-commerce platform Alibaba following a data breach at the UK Biobank charity, the British government disclosed on Thursday.

UK Science Minister Ian Murray revealed the development to the House of Commons, confirming that the data, which includes genetic sequences, blood samples, medical scans and lifestyle information from Biobank’s volunteer database, had appeared across three separate listings on the platform.

At least one of the listings appeared to contain data drawn from all 500,000 volunteers in the database. Murray said the listings were removed before any sales were completed, with the cooperation of both the Chinese government and Alibaba.

Three research institutions with legitimate access to the data were identified as the source of the listings, and their access to Biobank’s platform has since been revoked.

Murray stressed that this was not a conventional hacking incident but rather a case of authorised users misusing data they had been legally permitted to download. All further data access requests have been paused while security measures are strengthened.

Biobank confirmed that the exposed data had been anonymised and did not include names, addresses or NHS numbers, though it did contain gender, age, birth month and year, socioeconomic status and lifestyle details. Privacy experts have long cautioned that such combinations of information can be sufficient to identify individuals, particularly when matched against other publicly available records.

Biobank chief executive Sir Rory Collins issued an apology to participants and confirmed the organisation had suspended access to its research platform.

An interim measure restricting the size of files exportable from the platform was being put in place, though a comprehensive automated checking system was not expected to be fully operational until late 2026.

Biobank has referred itself to the Information Commissioner’s Office, which has the power to impose fines of up to four per cent of an organisation’s annual global turnover for failures to protect personal data securely.

The Biobank database was established with government and charitable funding and holds more than 15 million biological samples and health records from volunteers recruited between 2006 and 2010. It is used by researchers worldwide in studies covering cancer, dementia and diabetes.

The breach has intensified concerns about Chinese access to Western health and genomic data.

A previous report found that one in five successful applications to access Biobank data came from China, including from researchers linked to BGI, China’s largest genomics company, which the United States has sanctioned over concerns its data collection activities support military surveillance programmes.

The U.S. has described bulk health and genomic data as a strategic asset that China collects for national security purposes.

It said unlike a compromised password, genetic data cannot be replaced.