DNA testing company 23andMe has been fined £2.31 million by the UK Information Commissioner’s Office (ICO) due to a significant data breach in 2023 that affected thousands of individuals. The breach occurred while the company was already facing financial difficulties, eventually resulting in its filing for bankruptcy.
Circumstances of the Breach
In October 2023, 23andMe suffered a “credential stuffing” attack, where hackers utilized previously exposed passwords to access user accounts. This incident resulted in unauthorized access to 14,000 accounts, affecting approximately 6.9 million individuals associated with those accounts. Personal data accessed included sensitive information such as names, birth years, geographical details, profile images, race, ethnicity, health reports, and family trees – impacting 155,592 residents in the UK. However, the hackers did not compromise DNA records.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions,” stated Information Commissioner John Edwards.
Regulatory Findings and Company Response
The ICO’s investigation revealed that 23andMe’s lack of adequate security measures facilitated the breach. The company did not implement necessary protections, including mandatory multi-factor authentication during the login process, secure password requirements, and reinforced verification protocols for accessing genetic data.
Edwards emphasized that these oversights left users’ sensitive data vulnerable to exploitation. “Their security systems were inadequate, the warning signs were there, and the company was slow to respond,” he remarked.
In response to the investigation, 23andMe announced that it has addressed the identified issues in collaboration with the ICO and the Office of the Privacy Commissioner of Canada, with all remedial actions expected to be finalized by the end of 2024.
New Ownership and Data Protection Commitments
Amid its bankruptcy, 23andMe is set to be sold to TTAM Research Institute, a non-profit organization led by Anne Wojcicki, co-founder and former CEO of the company. The sale, valued at $305 million, will include binding commitments to enhance protections for customer data and privacy. The new ownership aims to uphold existing policies that allow users to delete their accounts and genetic data, in addition to opting out of research activities.
Initially, 23andMe had intended to sell its assets to biotechnology firm Regeneron Pharmaceuticals in a $256 million deal. However, this agreement has since been replaced by the arrangement with TTAM Research Institute.
Impact on Stakeholders
Consumer protection is at the forefront of concerns surrounding the breach and subsequent data management practices. The ICO, along with Canadian regulators, has urged 23andMe to take stronger measures to safeguard its users’ sensitive data, particularly given the nature of genetic information as special category data under UK law.
The bankruptcy court is expected to consider the approval of the sale on Wednesday, marking a pivotal moment for the future of 23andMe and the continued protection of its customers’ data.
Organizations handling sensitive customer information are reminded to maintain robust security protocols to prevent similar breaches, highlighting the importance of safeguarding personal data in today’s digital landscape.
For more business News, check PGN Business Insider.
