Genetic testing company 23andMe has received a £2.31 million fine from the UK’s Information Commissioner’s Office (ICO) following a significant data breach in 2023. The breach impacted thousands of individuals.
The ICO cited inadequate security measures implemented by 23andMe, which subsequently filed for bankruptcy, as the cause of the incident. Information Commissioner John Edwards stated, “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions.”
Pending sale to TTAM Research Institute, the acquiring entity has pledged “several binding commitments to enhance protections for customer data and privacy.”
The October 2023 breach involved a “credential stuffing” attack, where hackers leveraged passwords from previous data leaks to access 14,000 23andMe accounts. This compromised information on approximately 6.9 million individuals linked to those accounts.
According to the ICO, this included sensitive data from 155,592 UK residents, encompassing names, birth years, location data, profile pictures, ethnicity, health reports, and family trees. Importantly, DNA records were not accessed.
Mr. Edwards emphasized the irreversible nature of the exposed information, stating, “As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”
The ICO highlights the stricter regulatory requirements for genetic data, categorized as “special category data” under UK law, demanding enhanced security measures. The investigation, conducted jointly with Canada’s privacy commissioner last June, found 23andMe’s insufficient authentication and verification protocols, including the lack of mandatory multi-factor authentication, to be in violation of UK data protection law.
Further shortcomings included weak password requirements and insufficient verification for raw genetic data downloads. Mr. Edwards criticized 23andMe’s inadequate security systems and delayed response to warning signs, leaving user data vulnerable.
23andMe claims to have addressed these issues by the end of 2024. Both the ICO and the Office of the Privacy Commissioner of Canada recently urged 23andMe to prioritize data protection amidst its bankruptcy proceedings.
Following a revised bidding process, 23andMe announced Friday the sale of its assets to TTAM Research Institute, a non-profit organization, for $305 million. This sale includes binding commitments to maintain existing customer protections, including data deletion and research opt-out options. A bankruptcy court will review the sale on Wednesday.