The UK Information Commissioner's Office (ICO) has fined genetic testing company
23andMe £2.31 million ($3.12 million) for what it called serious security failures that resulted in a highly damaging data breach in 2023.
The ICO stated that 23andMe did not adequately safeguard the sensitive data of UK users, which included genotype details, health information, and personal records. Attackers accessed this data through credential stuffing, using stolen login credentials over a five-month period from April to September 2023, without detection.
“This was a deeply harmful breach that exposed private personal data, family backgrounds, and even medical information of thousands in the UK,” said John Edwards, the UK’s Information Commissioner. “One individual told us that once such information is exposed, it cannot be altered or replaced like a password or credit card.”
According to breach notification letters sent by 23andMe, some of the stolen data was shared publicly on platforms like the unofficial 23andMe subreddit and BreachForums, a known hacking forum.
The breach affected 4.1 million individuals in the UK and Germany, along with one million Ashkenazi Jews. In response, 23andMe introduced new security measures, such as enabling two-factor authentication by default and requiring users to reset their passwords.
When asked how the fine was calculated, an ICO spokesperson explained that the decision took into account 23andMe’s representations during the regulatory process. The fine was determined based on the ICO's Data Protection Fining Guidance, which outlines the maximum penalties allowed.
This penalty follows 23andMe’s filing for Chapter 11 bankruptcy in March 2024, after several years of financial difficulty. The company also announced plans to sell its assets.
The 2023 breach triggered several class-action lawsuits. In November 2023, the company updated its Terms of Use in a move that critics said was designed to reduce legal liability, though 23andMe claimed the changes were only intended to streamline arbitration.
In September 2024, the company agreed to a $30 million settlement over the breach, which exposed data belonging to 6.4 million users worldwide.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
