- The ICO has issued 23andMe with £2.31 million ($3.1 million) fine
- Fine is punishment for failings following 2023 data breach
- An investigation found 'serious security failings'
The British data protection watchdog, the Information Commissioner’s Office (ICO) has issued a £2.31 million fine to 23andMe for “failing to implement appropriate security measures to protect the personal information of UK users”
This follows a 2023 cyberattack in which hackers accessed 23andMe personal user data.
The breach only affected 0.1% of the company's customer base, roughly 14,000 individuals, but thanks to the sensitive nature of the information 23andMe holds, hackers were able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share.”
Keeping secure
The joint investigation, carried out between the ICO and Canadian Privacy Commissioner revealed ‘serious security failings’ after the breach, calling 23andMe’s actions ‘inadequate’.
After the hackers carried out their credential stuffing attack, the company waited months until starting a full investigation, only confirming the breach after an employee discovered stolen data advertised for sale on Reddit.
This breach put those affected at risk, not just for the typical identity theft and fraud, but also for seriously sophisticated social engineering attacks. If your genetic or family history is sold to a criminal, it could be leveraged against you.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” confirmed John Edwards, UK Information Commissioner.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”
An example of this could be a “family member” reaching out and asking for more information about yourself, or a “medical company” contacting you about an existing genetic health condition. If you’re affected by this breach, be sure to be extra vigilant and cautious about any unexpected communications you receive.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm,” Edwards confirmed.
We reached out to 23andMe, and a spokesperson did provide us with a statement that confirmed that as part of "as part of its agreement to acquire 23andMe, TTAM Research Institute made several binding commitments to enhance protections for customer data and privacy".
This includes, but is not limited to; "allowing individuals to delete their account and opt out of research at any time; notifying customers via email at least 2 days prior to the closing of the acquisition about details on TTAM’s role, its commitment to privacy choices and instructions on how to delete data or opt out of research; agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control to any entity that does not adopt TTAM’s policies and comply with all laws."
You might also like
- Take a look at our picks for the best malware removal software around
- Check out our choice for best antivirus software
- Hackers claim 64 million leaked T-Mobile records, but it denies breach
