- Best early Prime Day laptop deals: My 12 favorite sales live now
- From Innovation to Action: Seizing the $43B Networking Refresh Opportunity with Cisco
- Best early Prime Day phone deals: My 17 favorite sales live now
- The 13 best early Prime Day 2025 deals under $25
- Are Amazon Basics tools any good? I bought a bunch to find out, and you'd be surprised
UK ICO Fines 23andMe £2.3m for Data Protection Failings
Embattled genetic testing company 23andMe has been fined £2.3m ($3.1m) by the UK’s privacy regulator for failing to protect customers’ special category data following a 2023 cyber-attack.
The company, which has filed for Chapter 11 bankruptcy in the US, revealed in October 2023 that customers had their profile information accessed by threat actors following a credential stuffing campaign.
According to the UK’s Information Commissioner’s Office (ICO), the campaign ran from April to September that year, exploiting reused login credentials stolen from previous unrelated data breaches.
Hackers gained access to a small number of initial accounts via these compromised credentials, but were then able to scrape data from additional users who had registered with the DNA Relatives feature.
23andMe said at the time that the incident impacted around six million customers.
The UK regulator completed a joint investigation with its Canadian counterpart.
Speaking at a press conference in Ottawa on June 17, UK Information Commissioner John Edwards and Canada’s Privacy Commissioner Philippe Dufresne said the probe concluded that the personal information of a total of seven million people worldwide, including 320,000 Canadian residents and 155,592 UK residents, had been compromised.
Depending on the individual, this data may have included names, birth years, self-reported city or postcode, profile images, race, ethnicity, family trees and health reports.
Despite some of the blame lying with poor password management on the part of some customers, the ICO has found that 23andMe broke data protection law in several ways:
- Failing to deploy secure authentication and verification processes for customer logins, including mandatory multi-factor authentication (MFA), secure password requirements or unpredictable usernames
- Failing to put in place appropriate measures to secure the access to and downloading of raw genetic data
- Failing to put in place measures to monitor, detect and respond to cyber-threats to customers’ personal information
Missed Opportunities
The regulator added that 23andMe missed several opportunities to act.
It said:
- The hacker began the credential stuffing attack in April 2023, but didn’t start their first round of “intense credential stuffing activity” until May 2023
- In July 2023, the hacker used a computer program to log into a free account with no associated DNA sample over a million times as part of an unsuccessful attempt to initiate “profile transfers”
- Later in July 2023, the hacker tried to initiate profile transfers in 400 separate accounts. 23andMe investigated but failed to detect that this was part of a larger ongoing data breach
- In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax by 23andMe
- In September 2023, the hacker carried out a second round of “intense” credential stuffing activity
The ICO said that the company only began a full investigation when the stolen data was advertised for sale on Reddit.
“The breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyber threats. It is particularly relevant at a time when more and more personal information is being collected, used and shared in a growing digital economy,” Dufresne said.
During the press conference, the Privacy Commissioner also explained why his government has not issued a similar sanction as its UK counterpart’s: “Unfortunately, Canadian privacy law does not yet provide this to me. It is something that I have been advocating for since my appointment. We had proposed law reform in the last parliament in Bill C-27 and I hope and expect that this new parliament will be turning its attention to remedying this and giving us the ability to issue orders and fines.”
Back in September 2024, 23andMe agreed to pay $30m in a data breach settlement in which it denied any wrongdoing. Earlier that year, the firm’s lawyers had continued to blame user negligence for the incident.
The ICO fine comes a few days after it was revealed that TTAM Research Institute, a non-profit run by 23andMe’s Co-Founder and former CEO, Anne Wojcicki, is the winner in a final round of auction bids to acquire 23andMe.
“Statements and assurances have been made by the upcoming buyer, to ensure it will respect the existing privacy policies and clauses, and we certainly expect this to be done,” said Privacy Commissioner Dufresne.
“We will be carefully following that the obligations should continue to apply to any new owner, and that if there are any concerns, our citizens can reach out to us and we’ll take the appropriate steps,” he added.
Image credit: bluestork / Shutterstock.com
