ICO fines 23andMe £2.31m over 'profoundly damaging' data breach

Comes in the middle of bankruptcy proceedings

The ICO has fined 23andMe £2.31 million due to its failures in responding to a 2023 data breach.

The UK's data protection watchdog has fined DNA testing company 23andMe £2.31 million for failing to safeguard sensitive user data in a 2023 cyberattack that exposed the more than 150,000 UK residents’ personal information.

While substantial, the penalty is almost half the £4.59 million fine the regulator had initially intended to level.

The Information Commissioner's Office (ICO) concluded that 23andMe lacked adequate security protocols and failed to implement necessary safeguards, particularly for its most sensitive data.

The breach, which the regulator described as "profoundly damaging," exposed names, birth years, locations, ethnicity, family trees and in some cases health reports.

While DNA data itself was not stolen, the nature of the compromised information raised alarm due to its deeply personal nature.

The attack, which unfolded between April and September 2023, was carried out via credential stuffing, a method where hackers exploit login credentials previously leaked in unrelated data breaches.

By October, attackers had infiltrated 23andMe's platform and accessed data linked to 155,592 UK users.

The ICO's investigation, conducted jointly with Canada's Office of the Privacy Commissioner (OPC), revealed multiple failings.

Most notably, 23andMe lacked robust login verification systems and did not enforce secure password practices or require additional verification for downloading sensitive genetic information.

Under UK data protection laws, genetic data is classified as "special category data", warranting enhanced security protocols due to the potential for misuse.

The ICO found that 23andMe had not adhered to these requirements and breached legal obligations by neglecting to put appropriate technical measures in place.

"23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm," UK Information Commissioner John Edwards said.

"Data protection doesn't stop at borders, and neither do we when it comes to protecting the rights of UK residents."

In response to the joint probe, 23andMe says it had resolved the identified issues by the end of 2024, though the remedial actions came too late to avoid regulatory penalties.

Complicating the situation is 23andMe's ongoing bankruptcy.

Initially set to be acquired by Regeneron Pharmaceuticals for $256 million, the company announced last week that it had instead agreed to sell its assets to the TTAM Research Institute, a non-profit biotech organisation founded by 23andMe co-founder and former CEO Anne Wojcicki.

The revised $305 million deal includes binding privacy commitments.

TTAM Research Institute has pledged to enhance data protections and preserve consumer rights, including the ability for users to delete their accounts, remove genetic data, and opt out of research programmes.

A US bankruptcy court is scheduled to hear the case on Wednesday to approve the sale.

Both UK and Canadian regulators have urged TTAM to uphold the strongest possible safeguards for customers during the transition.

Commenting on the ICO's fine of 23andMe, Max Vetter, VP of Cyber at Immersive, said: "The truth is that the majority of breaches happen because the most simple and basic security practices are not followed. The ICO's fine is substantial; however, it is justified. When an organisation is responsible for such personal and sensitive data, the security basics cannot be ignored."