Uk data protection regulator The Information Commissioner’s Officer (ICO) has fined genetic testing company DNA testing company 23andMe £2.31 for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.
https://nationaltechnology.co.uk/23andMe_To_Axe_40_Of_Workforce_To_Cut_Costs.php
This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports.
The type and amount of personal information accessed varied depending on the information included in a customer’s account.
In a statement on Tuesday, the UK regulator concluded that the company had failed to implement adequate security measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames, allowing hackers to exploit vulnerabilities and access a trove of highly sensitive data.
The ICO added 23andMe also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions,” said Information Commissioner John Edwards.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm,” Edwards added.
The regulator said it carried out this investigation in collaboration with its Canadian counterparts, highlighting the power of international cooperation in holding global companies to account.
Philippe Dufresne, Privacy Commissioner of Canada, prasied the collaborative nature of the one investigation.
“By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions,” he added.
In May, US biotechnology firm Regeneron has entered into an agreement to acquire 23andMe for $256 million, with the transaction expected to close in the third quarter of 2025.
The agreement comes two months after 23andMe filed for bankruptcy protection in the US.
