ICO fines 23andMe £2.3M for data breach

The Information Commissioner’s Office (ICO) has imposed a fine of £2.31 million on genetic testing company 23andMe for failing to implement appropriate security measures to protect sensitive and personal information of users from the United Kingdom.

Between April and September 2023, a hacker carried out a credential stuffing attack, gaining access to 23andMe’s IT systems. He misused this unauthorized access to exfiltrate personal information of around seven million users, including 155,592 residents from the United Kingdom.

The attacker managed to steal personal information, such as full names, dates of birth, location data, relationship status, health and pedigree data, profile images, race, ethnicity, and health reports.

The ICO and the Office of the Privacy Commissioner of Canada (OPC) launched a joint investigation and found that 23andMe didn’t have additional verification steps for users to access and download their genetic data at the time of the data breach.

The DNA testing company infringed UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, or secure password protocols.

It also failed to implement appropriate controls over access to raw genetic data and didn’t have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.

Lastly, the company’s response when the incident unfolded was also inadequate as it failed to properly investigate signals that a breach may be occurring. The company also didn’t adequately notify regulators and affected customers after the breach.

John Edwards, UK Information Commissioner, said that 23andMe neglected to take basic steps to protect personal user data. “Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm,” he commented.

“Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” Privacy Commissioner of Canada Philippe Dufresne said in a statement.

According to the ICO and the OPC, 23andMe implemented security measures that were sufficient by the end of 2024.