DNA testing firm 23andMe has been fined £2.31 million ($3.1M) by a UK watchdog over a “profoundly damaging” data breach back in 2023, which affected thousands of people. The company has since filed for bankruptcy.
-
DNA testing firm 23andMe has been fined £2.31 million ($3.1M) by a UK watchdog over a data breach.
-
23andMe failed to take adequate measures to secure sensitive user data before the incident, the regulator said.
-
Earlier this year, the company filed for bankruptcy to temporarily protect itself from creditors.
According to the Information Commissioner’s Office (ICO), 23andMe failed to take adequate measures to secure sensitive user data before the incident.
In 2023, attackers were able to exfiltrate full names, dates of birth, location data, relationship status, health and pedigree data, and information voluntarily shared by users to contact descendants from seven million users.
This was a credential stuffing attack, exploiting reused login credentials, stolen from previous unrelated data breaches.
The ICO is intervening because personal data belonging to 155,592 UK residents was also accessed. The agency’s investigation found that 23andMe didn’t have additional verification steps for users to access and download their raw genetic data.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number,” said John Edwards, UK Information Commissioner.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
Indeed, 23andMe’s response to the incident was quite bizarre. Even though the hacker began the attack in April 2023, in August, the company dismissed a claim of data theft as a hoax.
And even though another wave of credential stuffing followed in September 2023, 23andMe didn’t start a full investigation until October. Only by the end of 2024, security improvements were sufficient to bring an end to the breaches.
According to Max Vetter, VP of Cyber at a cybersecurity firm Immersive, the ICO’s fine is thus completely justified and “serves as a critical reminder that some of the most basic security practices can be the most costly if an organization isn’t prepared for them.”
“There is no excuse for any business that does not have multi-factor authentication implemented and enforced, uses weak passwords, or neglects to patch known vulnerabilities. Hygiene fundamentals should form the absolute baseline of any cybersecurity strategy,” Vetter told Cybernews.
23andMe grew in popularity by selling DNA kits that allowed users to build a genetic profile and do genealogical research. The firm also generated revenue by collaborating with pharmaceutical companies and selling anonymized data for medical research.
Last year, 23andMe settled for $30 million with customers. Earlier this year, the company filed for bankruptcy to temporarily protect itself from creditors.
Your email address will not be published. Required fields are markedmarked