23andMe fined by UK regulator over data breach

The Information Commissioner's Office (ICO) has fined 23andMe more than £2 million following a large-scale cyber attack for failing to protect users' data.

23andMe is a genetic testing company that allows individuals to have parts of their genome read, and access data on their ancestry and inherited traits. The company has been issued a recent penalty following a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada into a series of data breaches in 2023. Hackers gained access to sensitive information of over 155,000 UK residents and nearly 320,000 Canadians, including birth years, address details, profile images, ethnicity, family trees and information on health conditions. The breaches left affected customers open to potential exploitation for financial gain, surveillance or discrimination.

'23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond,' said John Edwards, the UK Information Commissioner. 'This left people's most sensitive data vulnerable to exploitation and harm.'

The compromised data was part of a wider breach which affected nearly seven million 23andMe customers worldwide (see BioNews 1211).

The data breach resulted from a prolonged cyber attack conducted between April and September 2023 by hackers using compromised login credentials to access client profiles. During this time, 23andMe conducted isolated investigations into unauthorised activity on the platform, but the claim of data theft affecting over ten million users was dismissed as a hoax. The company began full investigations in October 2023, when employees found stolen data advertised for sale online. 23andMe then confirmed the data breach with the ICO, prompting the investigation.

The joint investigation revealed that the 23andMe platform had 'serious security failings' when the data breach occurred. The ruling outlined that the company had failed to implement security measures, including mandatory multi-factor authentication, secure password protocols or unpredictable usernames. Additionally, appropriate controls were not in place to protect raw genetic data or monitor and respond to cyber threats.

'I expected rigorous privacy controls to be in place due to the nature of the information collected,' an anonymous customer said in a complaint to the ICO. 'Unlike usernames, passwords and e-mail addresses, you can't change your genetic makeup when a data breach occurs.'

The ICO confirmed that by the end of 2024, 23andMe had made sufficient security improvements in response to the identified breaches.

Earlier this year, the company filed for bankruptcy and will be selling its assets – customer data (see BioNews 1283 and 1289). The UK Information Commissioner and Canadian Privacy Commissioner confirmed that they will monitor the sale to ensure the eventual buyers uphold privacy obligations in relation to customer data.

The ICO advised members of the public that it is the company's legal responsibility to keep users' information secure. However, to reduce risks, they advised customers to use strong unique passwords for all accounts, enable multi-factor authentication, and be wary of phishing emails concerning personal or genetic information.