The Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.
The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.
This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports.
The type and amount of personal information accessed varied depending on the information included in a customer’s account.
The ICO investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.
John Edwards, UK Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.
“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”
The ICO found that 23andMe breached UK data protection law by failing to put in place appropriate authentication and verification measures as part of its customer login process, including, but not limited to, mandatory multi-factor authentication (MFA), secure password requirements, or unpredictable usernames.
The company also failed to put in place appropriate security measures that focused on the access to and download of raw genetic data.
The report also found that 23andMe failed to put in place measures to monitor for, detect and appropriately respond to cyber threats to its customers’ personal information.
Additionally, 23andMe’s response to the incident was inadequate and they missed many opportunities to act, the ICO said.
Despite all this activity, the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit.
Only then did 23andMe confirm that a breach had occurred.
You can contact us for more informations or ads here [email protected]