ICO Fines 23andMe £2.31 Million for ‘Profoundly Damaging’ Data Breach

Compliance Challenges During Bankruptcy Proceedings

The Information Commissioner’s Office (ICO) has fined 23andMe £2.31 million due to security shortcomings stemming from a data breach in 2023.

The UK-based DNA testing firm 23andMe has been penalized for its inability to adequately protect sensitive user information, following a cyberattack that compromised personal data for over 150,000 residents in the UK. Notably, the finalized fine is nearly half the initial £4.59 million figure that the ICO had proposed.

The ICO’s investigation revealed that the company failed to implement sufficient security measures, particularly in safeguarding its most sensitive data. As described by the regulator, the breach exposed critical personal details, including names, birth years, locations, and ethnicity information, raising significant privacy concerns despite the fact that DNA data itself was not accessed.

The attack, which occurred between April and September of 2023, utilized a method known as credential stuffing, where hackers exploit stolen login credentials from prior data breaches to gain unauthorized access. By October, attackers were able to penetrate 23andMe’s platform, affecting 155,592 users in the UK.

This breach was further complicated by a joint investigation by the ICO and Canada’s Office of the Privacy Commissioner (OPC), which identified multiple security inadequacies at 23andMe. These included insufficient login verification measures, weak password policies, and a lack of extra verification for accessing sensitive genetic information. According to UK data protection laws, genetic data constitutes “special category data” that necessitates elevated security due to its potential for misuse.

John Edwards, the UK Information Commissioner, emphasized that 23andMe had neglected to take fundamental security precautions, which left sensitive data exposed to potential exploitation. The ICO’s findings highlighted that 23andMe’s security systems were lacking, and the firm was slow to respond to the breach.

In light of these events, 23andMe announced it had addressed the identified issues by the end of 2024, although these corrective actions arrived too late to evade regulatory consequences. Complicating matters, the company is currently navigating bankruptcy proceedings. Initially poised to be acquired by Regeneron Pharmaceuticals for $256 million, 23andMe has instead agreed to an asset sale to the TTAM Research Institute, a non-profit biotech organization co-founded by Anne Wojcicki, a 23andMe co-founder and former CEO.

This revised agreement, valued at $305 million, includes binding commitments to enhance privacy protections. TTAM has pledged to improve data security measures and safeguard consumer rights, allowing users to delete their accounts, eliminate genetic data, and opt out of research programs. A hearing in a U.S bankruptcy court is set for Wednesday to consider this sale, with both the UK and Canadian regulators urging TTAM to maintain high standards for customer protection throughout the transition.

In light of the ICO’s fine, cybersecurity professionals underscore that the majority of breaches can often be traced back to the failure to adopt basic security practices. As experts remind business owners, protecting personal and sensitive data is paramount in maintaining trust and compliance with regulatory standards.

Source link