The ICO has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber-attack in 2023.
The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.
The joint investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The ICO says that 23andMe breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.
23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023. In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.
By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified. The combination of personal information that could be found in 23andMe accounts, such as post codes, race, ethnic origin, familial connections, and health data could potentially be exploited by malicious actors for financial gain, surveillance or discrimination. The ICO received 12 complaints from consumers.
The ICO has produced guidance which recommends using two-factor or multi-factor authentication wherever possible, particularly when sensitive personal information is being collected or processed. In addition, organisations should regularly scan for vulnerabilities and install the latest security patches without delay.
