UK Slaps 23andMe With Fine Over Major Genetic Data Breach
▼ Summary
– The UK ICO fined 23andMe £2.31 million for failing to protect sensitive genetic and health data of UK residents in a 2023 breach.
– The breach occurred due to credential stuffing attacks over five months, exposing genotype data, health reports, and personal details.
– Leaked data included information on 4.1 million UK and German residents and 1 million Ashkenazi Jews, later posted on hacking forums.
– 23andMe implemented security measures post-breach, such as default two-factor authentication and mandatory password resets.
– The company faced financial struggles, filed for bankruptcy, and settled a $30 million lawsuit over the breach affecting 6.4 million customers.
The UK’s data protection authority has imposed a £2.31 million ($3.12 million) penalty on genetic testing firm 23andMe following a significant security lapse that compromised sensitive user information. The Information Commissioner’s Office (ICO) described the breach as deeply concerning, with personal genetic data, health reports, and family histories exposed due to inadequate safeguards.
Between April and September 2023, hackers exploited stolen login credentials in credential-stuffing attacks, gaining unauthorized access to user accounts. The compromised data included genetic profiles, ancestry details, and health-related insights belonging to millions of UK and German residents, as well as a substantial number of Ashkenazi Jewish individuals. Some of this information later surfaced on hacking forums and social media platforms, raising serious privacy concerns.
John Edwards, the UK Information Commissioner, emphasized the irreversible nature of genetic data exposure, stating that unlike financial details, this type of information cannot simply be reset or replaced. The breach affected approximately 4.1 million people in the UK and Germany, alongside 1 million Ashkenazi Jews, making it one of the largest genetic data leaks in recent years.
In response, 23andMe introduced enhanced security measures, including mandatory two-factor authentication and password resets for all users. The company also faced legal repercussions, with multiple class-action lawsuits filed by affected customers. In a controversial move, 23andMe revised its terms of service in late 2023, making it more difficult for users to pursue legal action.
The ICO’s fine follows a turbulent period for the company, which filed for Chapter 11 bankruptcy earlier this year amid financial difficulties. Despite these challenges, 23andMe agreed to a $30 million settlement in September 2024 to resolve litigation tied to the breach, which impacted 6.4 million customers globally.
Regulators determined the penalty amount after reviewing the company’s representations and applying established data protection guidelines. The ICO stressed that the fine reflects the severity of the security failures and the sensitive nature of the compromised data. This case underscores the growing scrutiny facing companies handling highly personal genetic information and the critical need for robust cybersecurity measures.
(Source: Bleeping Computer)
