The United Kingdom’s top data privacy regulator has fined the embattled personal genomics company 23andMe more than $3 million. This was for its allegedly poor cybersecurity practices and its slow response to a devastating 2023 data breach. The breach, which revealed the genetic data of millions of the firm’s customers, spanned several months during which 23andMe failed to act. The Information Commissioner’s Office, or ICO, announced the significant £2.31 million fine ($3.14 million) in a press release on Tuesday. This news comes on the heels of Friday’s announcement that a nonprofit will be taking control of the company. The ICO noted that 23andMe failed to require additional verification measures for all users to access and download their raw genetic data.
The genetic testing firm unfortunately broke several key United Kingdom data protection laws, according to the Information Commissioner’s Office. This included failing to require mandatory multi-factor authentication (MFA), secure passwords, and also the use of hard to predict usernames. 23andMe also did not have the proper systems in place to effectively monitor, detect, and respond to various cyber threats. A 23andMe spokesperson said that by the end of 2024, the company had implemented multiple steps to increase its security. The so-called credential stuffing attack first began in April 2023, with intense activity starting a few months later that summer. The personal information of seven million people was compromised.
The ICO’s investigation concluded that the company 23andMe unfortunately missed several key opportunities to act during the long-running data breach. The hacker began the credential stuffing attack in April 2023 but didn’t start their first round of intense activity until May 2023. In July 2023, the hacker used a computer program to log into a free account over a million times as part of an attempt. Later that month, the hacker tried to initiate profile transfers in 400 separate accounts, which should have been a major alert. 23andMe investigated at that point but failed to detect that this was part of a much larger ongoing security data breach.
This significant ICO fine comes just a few days after it was revealed that the TTAM Research Institute is the winning bidder. This non-profit organization, which is run by 23andMe’s Co-Founder and former CEO, Anne Wojcicki, will acquire the company. Statements and assurances have been made by the upcoming buyer to ensure it will respect all of the existing privacy policies. Canada’s Privacy Commissioner, who conducted a joint investigation, said they will be carefully following that the obligations should continue to apply. He also explained that Canadian privacy law does not yet provide him with the ability to issue orders and fines for such breaches. He hopes and expects that the new parliament will be turning its attention to remedying this particular legislative gap very soon.
Reference: