23andMe fined £2.31 million for failing to protect UK citizens’ data
The Information Commissioner’s Office has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users.
The fine comes after a large-scale cyber attack in 2023 saw users’ data compromised. The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada, the regulator said in a statement on Tuesday (17 June).
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.
This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.
The ICO’s investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number,” said John Edwards (UK Information Commissioner).
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
This left people’s most sensitive data vulnerable to exploitation and harm, he said.
“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”
