UK ICO Imposes £2.3 Million Fine on 23andMe for Data Protection Violations

Embattled genetic testing company 23andMe has been fined £2.3 million ($3.1 million) by the UK’s privacy regulator for failing to adequately protect customers’ special category data following a cyber-attack in 2023.

The company, currently in Chapter 11 bankruptcy in the United States, disclosed in October 2023 that customer profile information had been accessed by threat actors through a credential stuffing campaign. This campaign, conducted from April to September 2023, exploited reused login credentials that had been stolen from previous data breaches.

Initially, hackers gained access to a limited number of accounts using these compromised credentials. Subsequently, they were able to scrape data from other users associated with the DNA Relatives feature. 23andMe acknowledged that the incident affected approximately six million customers.

The UK’s Information Commissioner’s Office (ICO) completed a joint investigation with its Canadian counterpart, revealing that personal information of seven million individuals worldwide was compromised, including 320,000 Canadian residents and 155,592 UK residents. The breached data included names, birth years, self-reported city or postcode, profile images, race, ethnicity, family trees, and health reports.

While some responsibility falls on customers for poor password management, the ICO concluded that 23andMe violated data protection laws in several key areas:

– Lack of Secure Authentication: The company failed to implement secure authentication and verification processes for customer logins, including mandatory multi-factor authentication (MFA), secure password requirements, or unpredictable usernames.
– Inadequate Data Security Measures: There were insufficient measures to secure access to and downloading of raw genetic data.
– Failure to Monitor for Threats: The company did not establish effective protocols to monitor, detect, and respond to cyber threats targeting customer personal information.

The regulator noted that 23andMe missed multiple opportunities to prevent the breach:

– The credential stuffing attack commenced in April 2023, but the hacker intensified their activities in May 2023.
– In July 2023, the hacker attempted to use a computer program to access a free account without an associated DNA sample over a million times.
– Later that month, the hacker tried to initiate profile transfers on 400 accounts. Despite an investigation, 23andMe failed to recognize this as an indication of an ongoing data breach.
– In August 2023, a claim indicating data theft affecting over ten million users was incorrectly dismissed as a hoax by 23andMe.
– A second round of intense credential stuffing activity occurred in September 2023.

The ICO stated that a thorough investigation only began once the stolen data was advertised for sale on an online platform.

“This breach underlines the critical need for stringent data protection measures amid increasing cyber threats. It is particularly pertinent as the digital economy continues to expand and personal information becomes more prevalent,” commented a Privacy Commissioner.

During a press conference, it was explained that Canadian privacy law currently lacks similar enforcement capabilities to impose fines like those enacted by the UK regulator, an issue that has been actively advocated for reform by the Canadian authorities.

In September 2024, 23andMe agreed to a $30 million settlement related to the data breach but denied any wrongdoing. Earlier that year, the company attributed the incident to user negligence.

The ICO’s fine comes shortly after it was reported that TTAM Research Institute, a non-profit entity led by 23andMe’s co-founder, is positioned to acquire the company. The Privacy Commissioner assured that the new buyer’s commitments to adhere to existing privacy policies would be closely monitored.