UK watchdog fines 23andMe for 'profoundly damaging' data breach

DNA testing firm 23andMe has been fined £2.31m by a UK watchdog over a data breach in 2023 which affected thousands of people.

The Information Commissioner's Office (ICO) said the company - which has since filed for bankruptcy - failed to put adequate measures in place to secure sensitive user data prior to the incident.

"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions," said Information Commissioner John Edwards.

23andMe is set to be sold to a new owner, TTAM Research Institute, which said it had "made several binding commitments to enhance protections for customer data and privacy."

23andMe's users were targeted by what is known as a "credential stuffing" attack in October 2023.

This saw hackers use passwords exposed in previous breaches to access 23andMe accounts for which people had used the same or similar credentials.

They were able to access 14,000 individual accounts - and, through those, download information relating to about 6.9m people linked to as possible relations on the site.

According to the ICO, this included access to personal data belonging to 155,592 UK residents, such as names, year of birth, geographical information, profile images, race, ethnicity, health reports and family trees.

Stolen data did not include DNA records.

"As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number," said Mr Edwards.

Due to its more sensitive nature, genetic data is considered special category data under UK data protection law and requires further protections and safeguards.

Firms controlling it should consider having additional security measures in place to help secure it, according to the ICO's guidance.

Its investigation - launched along with Canada's privacy commissioner last June - found that 23andMe breached UK data protection law by not having appropriate authentication and verification measures for customers during its login process.

This included not having mandatory multi-factor authentication to allow users logging in to verify themselves through additional means or devices.

The company also did not have secure password requirements or more verification requirements for users trying to download raw genetic data, it added.

Mr Edwards said such failures and delays in resolving them "left people's most sensitive data vulnerable to exploitation and harm".

"Their security systems were inadequate, the warning signs were there, and the company was slow to respond," he said.

The company says it resolved the issues identified during the ICO and the Office of the Privacy Commissioner of Canada (OPC)'s probe by the end of 2024.

Both watchdogs recently called on 23andMe to protect the sensitive personal data of its customers amid its bankruptcy proceedings.

The company was initially set to be sold to biotechnology company Regeneron Pharmaceuticals in a $256m deal.

But 23andMe said on Friday it had agreed to the sale of its assets to TTAM Research Institute - a non-profit biotech organisation led by its co-founder and former chief executive Anne Wojcicki.

It said the purchase of the company for a new price of $305m would come with binding commitments to uphold existing policies and consumer protections, such as letting customers delete their accounts, genetic data and opt out of research.

A bankruptcy court is scheduled to hear the case for its approval on Wednesday.