UK watchdog fines 23andMe for ‘profoundly damaging’ information breach

DNA testing agency 23andMe has been fined £2.31m by a UK watchdog over an information breach in 2023 which affected hundreds of individuals.

The Info Commissioner’s Workplace (ICO) stated the corporate – which has since filed for chapter – didn’t put sufficient measures in place to safe delicate person information previous to the incident.

“This was a profoundly damaging breach that uncovered delicate private data, household histories, and even well being situations,” stated Info Commissioner John Edwards.

23andMe is about to be offered to a brand new proprietor, TTAM Analysis Institute, which stated it had “made a number of binding commitments to reinforce protections for buyer information and privateness.”

23andMe’s customers had been focused by what is called a “credential stuffing” assault in October 2023.

This noticed hackers use passwords uncovered in earlier breaches to entry 23andMe accounts for which individuals had used the identical or related credentials.

They had been in a position to entry 14,000 particular person accounts – and, by means of these, obtain data referring to about 6.9m folks linked to as attainable relations on the location.

Based on the ICO, this included entry to non-public information belonging to 155,592 UK residents, corresponding to names, yr of start, geographical data, profile photographs, race, ethnicity, well being experiences and household bushes.

Stolen information didn’t embrace DNA information.

“As a kind of impacted instructed us: as soon as this data is on the market, it can’t be modified or reissued like a password or bank card quantity,” stated Mr Edwards.

On account of its extra delicate nature, genetic information is taken into account particular class information below UK information safety legislation and requires additional protections and safeguards.

Companies controlling it ought to take into account having extra safety measures in place to assist safe it, based on the ICO’s steering.

Its investigation – launched together with Canada’s privateness commissioner final June – discovered that 23andMe breached UK information safety legislation by not having applicable authentication and verification measures for purchasers throughout its login course of.

This included not having necessary multi-factor authentication to permit customers logging in to confirm themselves by means of extra means or units.

The corporate additionally didn’t have safe password necessities or extra verification necessities for customers making an attempt to obtain uncooked genetic information, it added.

Mr Edwards stated such failures and delays in resolving them “left folks’s most delicate information weak to exploitation and hurt”.

“Their safety techniques had been insufficient, the warning indicators had been there, and the corporate was sluggish to reply,” he stated.

The corporate says it resolved the problems recognized in the course of the ICO and the Workplace of the Privateness Commissioner of Canada (OPC)’s probe by the top of 2024.

Each watchdogs lately known as on 23andMe to guard the delicate private information of its prospects amid its chapter proceedings.

The corporate was initially set to be offered to biotechnology firm Regeneron Prescribed drugs in a $256m deal.

However 23andMe stated on Friday it had agreed to the sale of its belongings to TTAM Analysis Institute – a non-profit biotech organisation led by its co-founder and former chief government Anne Wojcicki.

It stated the acquisition of the corporate for a brand new worth of $305m would include binding commitments to uphold present insurance policies and client protections, corresponding to letting prospects delete their accounts, genetic information and decide out of analysis.

A chapter court docket is scheduled to listen to the case for its approval on Wednesday.