Genetic testing giant 23andMe has been slapped with a £2.31 million fine by the UK’s Information Commissioner’s Office (ICO) following a “profoundly damaging” data breach in 2023 that exposed the highly sensitive personal and genetic data of over 155,000 UK residents. The penalty, announced last week, underscores significant failings in the company’s data security protocols and its sluggish response to the cyberattack.
The ICO, in a joint investigation with Canada’s Office of the Privacy Commissioner, found that 23andMe breached UK data protection law by failing to implement adequate technical and organizational measures to safeguard user data. Key deficiencies identified included a lack of mandatory multi-factor authentication (MFA), weak password protocols, and insufficient systems for monitoring and detecting cyber threats. Crucially, the company also failed to implement additional verification steps for users attempting to access and download their raw genetic data, leaving this extremely sensitive information vulnerable.
The breach, a “credential stuffing” attack, began in April 2023 and continued until September of the same year. Attackers exploited login credentials stolen from unrelated previous data breaches to gain unauthorized access to 23andMe accounts. While only a small percentage of accounts were directly accessed, the company’s “DNA Relatives” feature meant that the compromise of approximately 14,000 accounts ultimately exposed the data of around 6.9 million individuals globally, including the affected UK residents.
Information Commissioner John Edwards heavily criticized 23andMe’s response, highlighting that the company was slow to react despite early warning signs. A full investigation was only initiated in October 2023, after an employee discovered the stolen data being advertised for sale on Reddit – months after the initial infiltration. “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” Edwards stated. “Once this information is out there, it cannot be changed or reissued like a password or credit card number.”
While the fine was reduced from an initial proposed amount of £4.59 million due to 23andMe’s recent bankruptcy filing in the US, the ICO maintained that a substantial penalty was necessary to ensure an effective and dissuasive response to the breaches. The ruling serves as a stark warning to organizations handling sensitive personal data, emphasizing the critical importance of robust cybersecurity practices and prompt incident response. 23andMe has reportedly implemented security enhancements since the breach, including making MFA a default setting.
