The Information Commissioner’s Office (ICO) has imposed a £2.31m fine on genetic testing company 23andMe for failing to implement adequate security measures following a major cyber-attack in 2023. The penalty follows a joint investigation by the ICO and the Office of the Privacy Commissioner of Canada. This comes on top of the financial and reputational damage to 23andMe caused by the attack which appears to have been a major contributing factor in driving the business to bankruptcy, with proceedings currently being resolved before the US courts.

Between April and September 2023, hackers carried out a "credential stuffing" attack, exploiting reused login credentials stolen from unrelated breaches. This resulted in unauthorised access to personal data of 155,592 UK residents. Exposed data included names, birth years, self-reported city or postcode-level locations, profile images, race, ethnicity, family trees, and health reports. The amount and type of data accessed varied by account, but DNA records were not compromised.

The ICO found that 23andMe lacked critical security measures, such as mandatory multi-factor authentication and secure password protocols. It also failed to implement effective monitoring systems to detect and respond to cyber threats. Despite warning signs, the company was slow to investigate and only confirmed the breach in October 2023 after stolen data was advertised for sale online.

Outcome

The ICO concluded that 23andMe breached UK data protection law by failing to protect special category data, which requires heightened safeguards. John Edwards, UK Information Commissioner, described the breach as “profoundly damaging,” noting the lasting impact on individuals whose sensitive data was exposed.

The fine was imposed amidst 23andMe’s bankruptcy proceedings. This demonstrates the ICO’s commitment to holding organisations accountable whether or not the fine imposed is ever likely to be paid. The company has since been sold to TTAM Research Institute, which has committed to improving data privacy protections. 

Practical points for clients

1.    Strengthen security protocols: Implement mandatory multi-factor authentication, secure password policies, and unpredictable usernames to protect accounts.

2.    Prioritise special category data: Organisations handling sensitive data, such as health or genetic information, should adopt enhanced security measures to comply with UK data protection law.

3.    Monitor and respond proactively: Regularly scan for vulnerabilities, install security patches promptly, and ensure robust systems are in place to detect and respond to cyber threats.

4.    Educate users on password hygiene: Credential-stuffing attacks exploit weak or reused passwords. Encourage strong, unique passwords and provide tools to support their use.

5.    Learn from regulatory action: The ICO’s fine, even amidst bankruptcy proceedings, demonstrates its resolve to enforce data protection laws. Compliance is critical to avoid fines and reputational harm in addition to the immediate impact of the incident itself.

Why this matters

This case should serve as a wake-up call for organisations handling sensitive personal data. Inadequate security measures can lead to severe regulatory penalties in addition to financial and reputational damage and claims from data subjects. Proactively investing in cybersecurity not only ensures compliance but also builds customer trust and resilience.