DNA testing company 23andMe has been fined £2.31m by the UK’s Information Commissioner’s Office (ICO) following a data breach in 2023 that exposed sensitive personal information.
The ICO described the breach as “profoundly damaging,” noting that it affected thousands of users and included personal data such as names, geographical information, health reports, and family trees. While DNA records were not compromised, the breach highlighted significant vulnerabilities in the company’s security systems.
Nature of the Breach
In October 2023, hackers executed a “credential stuffing” attack, exploiting passwords exposed in prior breaches to access 14,000 individual accounts. Through these accounts, they gained access to data related to approximately 6.9 million individuals, many identified as potential relatives.
The breach affected 155,592 UK residents, exposing sensitive information, including race, ethnicity, health conditions, and family connections.
John Edwards, the UK Information Commissioner, emphasized the long-term impact of the breach:
“Once this information is out there, it cannot be changed or reissued like a password or credit card number.”
Inadequate Security Measures
The ICO investigation, conducted in partnership with Canada’s privacy commissioner, found that 23andMe violated UK data protection laws by failing to implement adequate security measures, including:
- Lack of mandatory multi-factor authentication.
- Insufficient password security requirements.
- Weak verification processes for downloading raw genetic data.
Edwards criticized the company for its delayed response to resolving these vulnerabilities, stating:
“Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
Fallout and Bankruptcy Proceedings
23andMe filed for bankruptcy following the breach and is now set to be sold to TTAM Research Institute, a non-profit biotech organization led by co-founder and former CEO Anne Wojcicki. The £305m deal includes commitments to strengthen customer data protection, allowing users to delete accounts and opt out of research.
James Moss, former ICO enforcement director, highlighted the significance of the fine despite the company’s bankruptcy:
“Even if the fine is never paid, it should encourage other organizations to strengthen their cybersecurity and dissuade them from failing to adequately protect sensitive personal data.”
A Cautionary Tale
The ICO’s fine and findings serve as a stark warning to companies handling special category data, such as genetic information. UK regulators continue to push for stricter safeguards, ensuring sensitive personal data is not left vulnerable to exploitation.
A bankruptcy court will review the sale of 23andMe’s assets on Wednesday, marking a new chapter for the embattled company.
thetechtrident.com 