A DNA genetic testing company has been fined £2.31m by the UK data protection watchdog the ICO for failing to protect the personal information of UK users, after what the regulator termed a large-scale cyber attack in 2023. The ICO investigated jointly with the Office of the Privacy Commissioner of Canada.
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting re-used login credentials that were stolen from previous, unrelated data breaches.
This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.
The ICO found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.
In October 2023, offered for sale on an online forum about such breaches was a genetic dataset relating to four million customers originating from Britain. The same month, the firm emailed its customers to inform them of the data breach and mandated a password re-set. The firm has since gone through what it termed a ‘bankruptcy and sale process’, having filed for bankruptcy protection in March.
John Edwards, UK Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.
“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”
The ICO said that the company breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication (which the firm mandated in November 2023), secure password protocols, or unpredictable user-names. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.
The watchdog described 23andMe’s response to the unfolding incident as inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023. In August 2023, a claim of data theft affecting over ten million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.
By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified, the regulators added. In a May update, the firm said that privacy and data security remained one of its top priorities.
Comment
Max Vetter, VP of Cyber at Immersive, said: “The truth is that the majority of breaches happen because the most simple and basic security practices are not followed. The ICO’s fine is substantial; however, it is justified. When an organisation is responsible for such personal and sensitive data, the security basics cannot be ignored. There is no excuse for any business that does not have multi-factor authentication implemented and enforced, uses weak passwords, or neglects to patch known vulnerabilities. Hygiene fundamentals should form the absolute baseline of any cybersecurity strategy.
“A lot of poor cyber hygiene can be traced back to a lack of development in cyber skills across an organisation’s workforce. We must ditch ineffective cyber skills development programmes and replace them with cyber simulations that reinforce both crisis response and core cyber hygiene through repetition and lived experience.”
