The Information Commissioner's Office (ICO) has slapped a fine of £2.31 million on genetic testing company 23andMe for failing to protect customer data after a cyber attack.
The credential stuffing attack, which took place between April and September 2023, saw the exposure of the personal information of 155,592 UK residents.
The data exposed included names, birth years, location, profile images, race, ethnicity, family trees, and health reports.
At the time, the company was roundly criticized for appearing to blame users themselves for the breach. It wrote to customers saying they'd "failed to update their passwords following past security incidents unrelated to 23andMe", and had "negligently recycled" login credentials from other accounts that were already exposed.
The ICO, though, takes a different view.
"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number," said information commissioner John Edwards.
"23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm."
Specifically, the ICO found that 23andMe had failed to implement appropriate authentication and verification measures when customers logged in, including mandatory multi-factor authentication (MFA) and strong passwords.
It also failed to put appropriate security measures in place to deal with access to and the downloading of raw genetic data.
Nor did it have the right measures in place to monitor for, detect, and appropriately respond to cyber threats to its customers' personal information.
"Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information," said Philippe Dufresne, privacy commissioner of Canada, who collaborated with the ICO on the investigation.
"With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable."
As well as failing to protect customer data, 23andMe handled the attack badly, the authorities concluded. The hackers kicked off their credential stuffing attack in April 2023, ramping up efforts in May and attempting to initiate profile transfers in July. This didn't happen invisibly, with 23andMe's platform stopping working, leaving the company's users unable to access it.
However, said the ICO, "Despite 23andMe investigating this incident at the time, it failed to detect that this was part of a larger ongoing data breach."
It didn't start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.
In August, indeed, it even dismissed a claim of data theft affecting over 10 million users as a hoax.
23andMe has since filed for Chapter 11 bankruptcy in the US, with a sale hearing set for today. The ICO said it was monitoring the situation closely, pointing out that the protections and restrictions of the UK GDPR continue to apply.
-
June rundown: 2,000 missing devices and why threat groups are being renamedITPro Podcast Nvidia talked up the UK's AI prowess while also talking down its supercomputer infrastructure
-
MIT study claims using AI tools impact cognitive functionNews A recent study from MIT suggests that using AI tools impacts brain activity, with frequent users underperforming compared to their counterparts.
-
Personal data taken in Oxford City Council cyber attacknews The personal data of election workers has been accessed, but the council says it moved quickly to limit the effects of the breach
-
Supplier hack leaks UBS data – including CEO's phone numberNews Chain IQ incident could hit Swiss banking sector hard in "grim reminder" of risk of third-party breaches
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
More than 5 million Americans just had their personal information exposed in the Yale New Haven Health data breach – and lawsuits are already rolling inNews A data breach at Yale New Haven Health has exposed data belonging to millions of people – and lawsuits have already been filed.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
850,000 patients may have been affected in the Globe Life breach after firm revises victim listNews US insurer Globe Life has revealed more than 850,000 patients may have been impacted in a data breach after initially believing only around 5,000 were impacted.
-
HPE confirms data breach probe after IntelBroker claimsNews IntelBroker claims to have stolen HPE source code in the breach
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
