The Information Commissioner’s Office (ICO) has fined DNA testing firm 23andMe £2.31 million for “serious security failings,” after a 2023 cyber attack exposed the data of more than 155,000 people in the UK.
The data protection watchdog said in its ruling published on Tuesday that the U.S.-based company had breached British data protection law by failing to have proper authentication and verification steps in place, which help prevent unauthorised access to users’ data.
“It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information,” the ICO said.
The attack, which took place between April and September 2023, saw hackers access data belonging to 155,592 UK residents. Depending on the information included in a customer’s account, criminals could have accessed people names, dates of birth, location, profile images, race, ethnicity, family trees, and health reports.
Information Commissioner John Edwards called the breach “profoundly damaging.”
He said: “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
Credential Stuffing
The type of cyber attack carried out against 23andMe was a “credential stuffing attack.”If a cyber criminal can gain fraudulent access to one site using a valid combination of a username and password, they can then try them on other sites to access different accounts.
The NCSC said that while the primary motivation for credential stuffing is financial, it can lead to identity theft.
Response to Hack ‘Inadequate’
The ICO outlined in its ruling that the hackers began their credential stuffing in April 2023, before their first period of intense stuffing activity the following month.In August 2023, a claim that data theft from the site had impacted 10 million people worldwide was dismissed as a hoax, “despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023,” the ICO said.
A further wave of credential stuffing occurred in September 2023. An investigation was not launched until October, when a 23andMe employee discovered the stolen data for sale on Reddit.
‘Wake Up Call’ for Data Privacy
Adrianus Warmenhoven, a cybersecurity expert at NordVPN, said earlier this year, “What we’re witnessing with 23andMe is a stark wakeup call for data privacy.”“Genetic data isn’t just a bit of personal information—it is a blueprint of your entire biological profile,” he said.
23andMe filed for bankruptcy in the United States on March 23, after facing heavy financial losses in the aftermath of the attack.
Protections for Customer Data
A 23andMe spokesperson told The Epoch Times that by the end of 2024, “23andMe had implemented multiple steps to increase security to protect individual accounts and information.”“As part of its agreement to acquire 23andMe, TTAM Research Institute made several binding commitments to enhance protections for customer data and privacy,” the spokesperson said.
These include “allowing individuals to delete their account and opt out of research at any time,” implementing privacy procedures, and “agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control to any entity that does not adopt TTAM’s policies and comply with all laws.”
The company is also offering customers two years of free Experian identity theft monitoring.
