DNA testing firm 23andMe has been fined £2.31m by a UK watchdog over a data breach in 2023 which affected thousands of people. The Information Commissioner's Office (ICO) said the company - which has since filed for bankruptcy - failed to put adequate measures in place to secure sensitive user data prior to the incident. "This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions," said Information Commissioner John Edwards. 23andMe is set to be sold to a new owner, TTAM Research Institute, which said it had "made several binding commitments to enhance protections for customer data and privacy." 23andMe's users were targeted by what is known as a "credential stuffing" attack in October 2023. This saw hackers use passwords exposed in previous breaches to access 23andMe accounts for which people had used the same or similar credentials. They were able to access 14,000 individual accounts - and, through those, download information relating to about 6.9m people linked to as possible relations on the site. According to the ICO, this included access to personal data belonging to 155,592 UK residents, such as names, year of birth, geographical information, profile images, race, ethnicity, health reports and family trees. Stolen data did not include DNA records. "As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number," said Mr Edwards. Due to its more sensitive nature, genetic data is considered special category data under UK data protection law and requires further protections and safeguards. Firms controlling it should consider having additional security measures in place to help secure it, according to the ICO's guidance. Its investigation - launched along with Canada's privacy commissionerlast June- found that 23andMe breached UK data protection law by not having appropriate authentication and verification measures for customers during its login process. This included not having mandatory multi-factor authentication to allow users logging in to verify themselves through additional means or devices. The company also did not have secure password requirements or more verification requirements for users trying to download raw genetic data, it added. Mr Edwards said such failures and delays in resolving them "left people's most sensitive data vulnerable to exploitation and harm". "Their security systems were inadequate, the warning signs were there, and the company was slow to respond," he said. The company says it resolved the issues identified during the ICO and the Office of the Privacy Commissioner of Canada (OPC)'s probe by the end of 2024. Both watchdogsrecently called on 23andMeto protect the sensitive personal data of its customers amid its bankruptcy proceedings. The company was initially set to be sold to biotechnology company Regeneron Pharmaceuticals in a $256m deal. But 23andMesaid on Fridayit had agreed to the sale of its assets to TTAM Research Institute - a non-profit biotech organisation led by its co-founder and former chief executive Anne Wojcicki. It said the purchase of the company for a new price of $305m would come with binding commitments to uphold existing policies and consumer protections, such as letting customers delete their accounts, genetic data and opt out of research. A bankruptcy court is scheduled to hear the case for its approval on Wednesday.
UK watchdog fines 23andMe for 'profoundly damaging' data breach
TruthLens AI Suggested Headline:
"23andMe Fined £2.31 Million by UK Watchdog Over Data Breach"
Bbc News
8.5
TruthLens AI Summary
In 2023, the UK Information Commissioner's Office (ICO) imposed a fine of £2.31 million on DNA testing company 23andMe due to a significant data breach that compromised the personal information of thousands of users. The breach, which occurred in October 2023, involved a 'credential stuffing' attack where hackers exploited previously leaked passwords to access user accounts, ultimately affecting approximately 6.9 million individuals linked to the accounts accessed. The ICO's investigation revealed that the company failed to implement necessary security measures to protect sensitive data, leading to the exposure of personal details such as names, birth dates, geographic locations, and health information for 155,592 UK residents. Although DNA records were not compromised, the breach was described by Information Commissioner John Edwards as 'profoundly damaging,' highlighting the irreversible nature of such data once exposed. The investigation also pointed out that 23andMe lacked adequate authentication processes, including mandatory multi-factor authentication, which is critical for safeguarding sensitive information.
Following the breach and subsequent financial difficulties, 23andMe is undergoing bankruptcy proceedings and has agreed to sell its assets to TTAM Research Institute, a non-profit biotech organization. This sale, valued at $305 million, includes commitments to enhance data protection and privacy for customers, such as allowing users to delete their accounts and opt-out of research. The ICO, alongside Canada’s Office of the Privacy Commissioner, emphasized the importance of stronger security protocols, especially concerning genetic data, which is classified under special category data with stricter protections under UK law. As the company prepares for its transition to new ownership, the ICO has urged 23andMe to prioritize the safeguarding of sensitive personal data to prevent future breaches and protect user privacy effectively. A bankruptcy court is set to review the sale agreement, which represents a crucial step for the company amid ongoing scrutiny of its data protection practices.
TruthLens AI Analysis
You need to be a member to generate the AI analysis for this article.
Log In to Generate AnalysisNot a member yet? Register for free.