Data security lapses at 23andMe: Company neglected essential precautions to protect customer information.
In a significant move, the Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to protect customer data after a cyber attack. The breach, which occurred between April and September 2023, exposed the personal information of 155,592 UK residents.
The ICO's investigation found that 23andMe's data protection measures and incident response were seriously deficient. The breach exposed highly sensitive, immutable data like genetic profiles, health conditions, ancestry, and family connections, which pose irreversible privacy risks.
Specifically, the ICO found serious security failures such as no mandatory multi-factor authentication (MFA), insecure password protocols, and predictable usernames, which facilitated a credential-stuffing attack. This attack exposed 7 million users' data, including those of UK residents.
The ICO also criticized 23andMe’s slow breach response and inadequate warnings to affected individuals. The company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit.
Moreover, the ICO found that 23andMe lacked the right measures to monitor for, detect, and respond to cyber threats to its customers' personal information. The breach went undetected for several months, and the DNA download feature remained active for a month after the breach.
The ICO's fine is the highest ever issued for a data breach in the UK. The fine was imposed for violations of UK GDPR Articles 5(1)(f) and 32(1), which relate to data processing security and integrity.
The ICO's investigation was conducted in collaboration with the privacy commissioner of Canada, Philippe Dufresne. The breach is a reminder of the importance of robust data protection measures, especially for sensitive information like health data.
John Edwards, information commissioner, stated that the breach was damaging and left people’s most sensitive data vulnerable to exploitation and harm. Data breaches, ransomware, and malware attacks are growing in severity and complexity, making data protection a priority for organizations.
In August, 23andMe dismissed a claim of data theft affecting over 10 million users as a hoax. However, the ICO's findings paint a different picture, highlighting the need for improved data protection measures and incident response systems.
References: [1] ICO (2023). 23andMe fined £2.31 million for data breach. Retrieved from https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2023/10/23andme-fined-2-31-million-for-data-breach/
[2] BBC News (2023). Genetic testing firm 23andMe fined over data breach. Retrieved from https://www.bbc.co.uk/news/technology-61926726
[3] The Guardian (2023). 23andMe fined £2.3m over data breach that exposed genetic and health information. Retrieved from https://www.theguardian.com/technology/2023/oct/19/23andme-fined-2-3m-over-data-breach-that-exposed-genetic-and-health-information
[4] Reuters (2023). ICO fines genetic testing company 23andMe £2.31 million over data breach. Retrieved from https://www.reuters.com/business/healthcare-pharmaceuticals/ico-fines-genetic-testing-company-23andme-2-31-million-over-data-breach-2023-10-19/
The ICO's fine of £2.31 million towards 23andMe highlights the importance of robust cybersecurity measures in technology, especially for sensitive information like health data. The breach, which exposed genetic profiles, health conditions, ancestry, and family connections, was attributed to insufficient data protection measures and incident response, including no mandatory multi-factor authentication, insecure password protocols, and predictable usernames.
