23andMe an American personal genomics and biotechnology company has been fined £2.31m by a UK watchdog over 2023 data breach which saw thousands of customers affected. The Information Commissioner’s Office (ICO) said the DNA testing firm – which has since filed for bankruptcy – failed to put adequate measures in place to secure sensitive user data prior to the incident.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions”, said Information Commissioner John Edwards.
23andMe is set to be sold to a new owner, TTAM Research Institute – a non-profit biotech organisation led by its co-founder and former chief executive Anne Wojcicki, which said it had “made several binding commitments to enhance protections for customer data and privacy”.
23andMe’s users were targeted by what is known as a “credential stuffing” attack in October 2023. This saw hackers use passwords exposed in previous breaches to access 23andMe accounts for which people had used the same or similar credentials. They were able to access 14,000 individual accounts – and, through those, download information relating to about 6.9m people linked to as possible relations on the site.
According to the ICO, this included access to personal data belonging to 155,592 UK residents, such as names, year of birth, geographical information, profile images, race, ethnicity, health reports and family trees. Stolen data did not include DNA records.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number”, said Mr Edwards.
Due to its more sensitive nature, genetic data is considered special category data under UK data protection law and requires further protections and safeguards. Firms controlling it should consider having additional security measures in place to help secure it, according to the ICO’s guidance.
Its investigation – launched along with Canada’s privacy commissioner last June – found that 23andMe breached UK data protection law by not having appropriate authentication and verification measures for customers during its login process. This included not having mandatory multi-factor authentication to allow users logging in to verify themselves through additional means or devices. The company also did not have secure password requirements or more verification requirements for users trying to download raw genetic data, it added.
Mr Edwards said such failures and delays in resolving them “left people’s most sensitive data vulnerable to exploitation and harm”. “Their security systems were inadequate, the warning signs were there, and the company was slow to respond,” he said.
Source: BBC News
Image Credit: Stock Image
