23andMe fined £2.31m over UK users' genetic data breach

Right after the announcement of a $305 million buyout by its former chief executive Anne Wojcicki, genetic testing company 23andMe is facing a hefty fine from the UK's data protection watchdog.

The Information Commissioner's Office (ICO) has levied a £2.31 million ($3.13 million) penalty on the Californian company in connection with a cyberattack in 2023 that resulted in the personal information of millions of its customers around the world being stolen.

Last September, 23andMe settled a class action lawsuit in the US, brought by people affected by the data breach, for $30 million. The suit claimed that the company did not tell customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to have specifically targeted these groups.

The ICO said its fine comes after an investigation pointed to unauthorised access by the hacker to personal information belonging to 155,592 UK residents, "potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports."

23andMe had failed to implement additional verification steps for users to access and download their raw genetic data, according to the regulator, which carried out its probe in collaboration with the Office of the Privacy Commissioner of Canada.

"23andMe failed to take basic steps to protect this information," said John Edwards, UK Information Commissioner, in a statement which noted that the company had breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames.

"Their security systems were inadequate, the warning signs were there, and the company was slow to respond," he added. "This left people's most sensitive data vulnerable to exploitation and harm. Data protection doesn't stop at borders, and neither do we when it comes to protecting the rights of UK residents."

According to the investigation, the hacker deployed a technique known as "credential stuffing," where usernames and passwords stolen from data breaches or bought on the dark web are tried in the hope that customers have reused them, in April and May of 2023.

Claims that a cyberattack was underway began in August of that year and were initially dismissed as a hoax, according to the investigators, and 23andMe did not start a full investigation until October 2023, when an employee discovered that the stolen data had been advertised for sale on Reddit. It was not until the end of last year that security was tightened up sufficiently to bring an end to the breaches, according to the ICO.

Cybersecurity specialist NordPass has estimated that around two-thirds of people in the US reuse passwords – on average for around five accounts – while around one in five have the same login credentials for 10 accounts or more.

One customer affected by the breach told the ICO: "I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you can't change your genetic makeup when a data breach occurs."

The ICO recommends that people use strong, unique passwords for each account they use, enable multi-factor authentication wherever possible, and remain vigilant against phishing emails or messages that reference personal or genetic information.