The genetic testing company 23andMe has been fined more than £2.3m for failing to protect the personal information of more than 150,000 UK residents after a large-scale cyberattack in 2023.
Family trees, health reports, names and postcodes were among the sensitive data hacked from the California-based company. It only confirmed the breach months after the infiltration started and once an employee saw the stolen data advertised for sale on the social media platform Reddit, according to the UK Information Commissioner’s Office – which levied the fine.
The information commissioner, John Edwards, called the months-long incident across the summer of 2023 a “profoundly damaging breach”. The compromise of UK data was just a fraction of the wider losses, with the data of7 millionpeople affected.
23andMe charges users £89 to have their DNA screened using a saliva-based kit, allowing them to discover where their distant ancestors came from in terms of their ethnicity and location. But many customers asked for their DNA data to be deleted from the company’s archives after the hack and it filed for bankruptcy protection in the US in March.
The fine came as a $305m bid to buy the company led by its former chief executive, Anne Wojcicki,looked poisedto retake control of the company in a bankruptcy auction.
Edwards said the data breach “exposed sensitive personal information, family histories and even health conditions of thousands of people in the UK”.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number,” he said.
23andMe failed to take basic steps to protect the information and their security systems were inadequate, the UK data protection regulator found. The breaches included failing to install tougher user authentication.
The hacker exploited a common weakness caused by users reusing passwords that had already been stolen in other unrelated data breaches. Hackers then used automated tools to try these passwords in a tactic called “credential stuffing”.
“The warning signs were there, and the company was slow to respond,” said Edwards, who carried out the investigation jointly with the privacy commissioner of Canada. “This left people’s most sensitive data vulnerable to exploitation and harm.”
Sign up toFirst Edition
Our morning email breaks down the key stories of the day, telling you what’s happening and why it matters
after newsletter promotion
A spokesperson for the company said 23andMe had since implemented multiple steps to increase security to protect individual accounts and information. They said that as part of the deal to acquire 23andMe, Wojcicki’s non-profit, the TTAM Research Institute, has made “binding commitments to enhance protections for customer data and privacy, including allowing individuals to delete their account and opt out of research at any time” and “agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control”, and offering customers two years of free identity theft monitoring.
The fine is among several multimillion pound punishments meted out by the ICO in recent years for failure to protect data from hacks and ransomware attacks. In 2022, itfinedthe construction company Interserve £4.4m when staff data was compromised, including contact details, bank accounts, sexual orientation and health.
In March this year itfinedan NHS IT supplier, Advanced Computer Software Group, nearly £3.1m for security failings that put the personal information of nearly 80,000 people at risk.