The UK’s Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to adequately secure the personal and genetic data of more than 155,000 UK residents during a 2023 cyberattack.
The penalty follows a joint investigation by the ICO and the Office of the Privacy Commissioner of Canada, which found that 23andMe’s inadequate security controls allowed hackers to carry out a credential stuffing attack between April and September 2023. Attackers exploited reused login credentials from previous unrelated breaches, gaining access to sensitive data including users’ names, locations, profile images, family trees, health reports, and genetic information.
The ICO concluded that 23andMe failed to implement appropriate verification steps for account access and download of raw genetic data. It lacked multi-factor authentication, secure password policies, and did not monitor or respond effectively to cyber threats.
“This was a profoundly damaging breach,” said UK Information Commissioner John Edwards. “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
The breach led to intense public concern. One complainant told the ICO, “You can’t change your genetic makeup when a data breach occurs.” Another said they were “disgusted” and “extremely anxious” about the exposure of their DNA data.
Though initial warnings surfaced as early as May 2023, 23andMe didn’t launch a full investigation until October, after the stolen data appeared for sale on Reddit. By the end of 2024, the company had implemented sufficient security improvements to resolve the failings identified in the ICO’s provisional decision.
The UK incident with 23andMe underscores the need for strong cybersecurity practices in organizations handling sensitive data. Regulatory authorities advise using multi-factor authentication, timely software updates, and regular threat monitoring.
Need Help?
If you’re concerned or have questions about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.
