The UK’s data watchdog is fining beleaguered DNA testing outfit 23andMe £2.31 million ($3.13 million) over its 2023 mega breach.
Among the various security failings demonstrated by the genetics company were:
- Unsatisfactory authentication measures, including lack of mandatory MFA and unsecure password requirements
- No measures taken to prevent accessing and downloading raw genetic data
- No measures to adequately monitor, detect, or respond to security threats to user data
The announcement comes a year after the Information Commissioner’s Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) teamed up to investigate 23andMe and the failures that led to attackers compromising nearly 7 million users’ data.
John Edwards, the UK’s Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us, once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
The ICO went on to note the five-month gap between the attacker’s credential-stuffing activity, which began in April 2023, and 23andMe finally acknowledging the attack publicly in October that year.
It said 23andMe “missed many opportunities to act” during this time and only did so after the stolen data was put up for sale on Reddit.
23andMe took until the end of 2024 to demonstrate that it had sufficiently addressed the fundamental issues that underpinned the credential-stuffing attack, the ICO’s announcement stated.
The genetics company’s fine represents a significant reduction compared to the sum the ICO was previously considering when it issued its Notice of Intent to fine 23andMe in March.
At the time, the proposed fine was £4.59 million ($6.22 million). An ICO spokesperson told The Register today: “By law, the company was given the opportunity to send representations regarding our findings of fact, the application of the law, the proposed form of regulatory action, if any, and the quantum of the proposed fine.
“We considered these representations and made our final decision to issue a £2.31 million fine to 23andMe for breaching data protection law.”
Attack facts
The 23andMe breach took place between April and September 2023, during which time the attackers used credential-stuffing techniques to access a small portion of the total user accounts.
Around 14,000 accounts were accessed during this time, representing approximately 0.1 percent of the total registrants on the platform.
However, the total number of affected users was much higher. This is in large part due to so many users opting into 23andMe’s DNA Relatives feature, one of the main selling points of the service, which allowed users to connect with their suspected relatives around the world.
The feature essentially opened up data sharing between 23andMe users at a massive scale, meaning the compromise of just 14,000 accounts led to the personal data of around 6.9 million people being stolen.
According to the ICO, 155,592 UK residents were affected. They potentially had data points such as names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees, and health reports accessed, although this differed on a per-user basis.
Chapter 11
23andMe filed for Chapter 11 bankruptcy protection earlier this year, raising the question of how exactly it will pay the ICO’s fine.
The data watchdog is aware of the proceedings, which involve an auction process, and that a sale hearing is scheduled for today, where founder Anne Wojcicki is expected to be formally declared the owner following a reported $305 million bid via her nonprofit TTAM Research Institute.
The ICO is in close contact with 23andMe’s lawyers and the US trustee, and assures that 23andMe is still obligated to comply with the UK GDPR and the regulator’s enforcement actions.
It deems its fine-collection policy to be robust but fair, offering payment plans for organizations that are enduring genuine financial hardship, a criterion that 23andMe may meet, although the regulator did not comment on this.
Organizations that can pay but won’t can expect the ICO to pursue formal recovery actions that could lead to insolvency.
Philippe Dufresne, Privacy Commissioner of Canada, said: “Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable.
“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximize our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”
The Register asked 23andMe to comment. A spokesperson said that by the end of 2024, 23andMe had taken steps to improve account security. TTAM, its buyer, committed to stronger privacy protections – including opt-outs, breach notifications, a privacy board, identity monitoring, and limits on future data sales – even pledging not to sell genetic data in bankruptcy without following its privacy rules. ®
