The Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31m.
The fine comes as a result of the California-based MedTech failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.
The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.
Between April and September 2023, a hacker carried out a credential stuffing attack – collecting stolen credentials like usernames and passwords to achieve an account takeover – on 23andMe’s platform.
This exploited reused login credentials that were stolen from previous unrelated data breaches and resulted in the unauthorised access to personal information belonging to 155,592 UK residents.
Information potentially revealed included names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports.
The commissioner’s investigation found that the company did not have additional verification steps for users to access and download their raw genetic data.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” said John Edwards, UK Information Commissioner.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.
“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”
This came at the same time that 23andMe filed for bankruptcy and its co-founder and CEO, Anne Wojcicki, resigned with immediate effect.
There were, however, reports that she plans to return to acquire the company and pivot it towards drug development.
It was reported on 14th June by CNBC that Wojcicki’s new non-profit organisation, TTAM Research Institute, is set to acquire all of 23andMe’s assets for $305m, giving her control once more.
“I am thrilled that TTAM Research Institute will be able to continue the mission of 23andMe to help people access, understand and benefit from the human genome,” she said.
In relation to the fine, the ICO found that the company breach UK data protection law by failing to put in place the aforementioned appropriate authentication, as well as failing to monitor, detect and respond to cyber threats to its customers’ personal information.
It has also pointed out several times where 23andMe’s response to the incident was ‘inadequate’, between April 2023 and September 2023.
The firm did not start a full investigation until October 2023, when an internal employee discovered that the stolen data had been advertised for sale on Reddit.
Philippe Dufresne, Privacy Commissioner of Canada, added: “Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information.
“With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.
“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”