Troubled DNA testing company 23andMe has been fined £2.31 million by the UK Information Commissioner’s Office (ICO) after thousands of customers’ data was breached by a hacker.
A joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada found that between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.
They were able to access personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports.
UK Information Commissioner John Edwards said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.”
The ICO said that 23andMe breached UK data protection law by failing to implement appropriate security measures such as mandatory multi-factor authentication, secure password protocols and unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to detect or respond to cyber threats targeting its customers’ sensitive information.
In August 2023, 23andMe dismissed the claim of data theft as a hoax.
It only admitted that the security breach had occurred and carried out a full investigation in October 2023, after a 23andMe employee discovered that the stolen data had been advertised for sale on the website Reddit.
The news comes as 23andMe announced that it has agreed to be purchased by TTAM Research Institute, a nonprofit public benefit corporation led by the company’s co-founder and former CEO Anne Wojcicki.
TTAM’s $305 million bid for the company beat out a previous offer of $256 million from biotechnology company Regeneron Pharmaceuticals.
If approved, the sale would finally allow Wojcicki to regain control of the company after multiple purchase offers by her were rejected, leading the other members of the 23andMe board to resign.
23andMe said that TTAM had affirmed its commitment to comply with the company’s privacy policies and applicable law.
It also said that TTAM had made binding commitments to adopt additional consumer protections and privacy safeguards, including establishing a Consumer Privacy Advisory Board and offering customers two years of free Experian identity theft monitoring.
TTAM would continue 23andMe’s policy of allowing de-identified data to be used for scientific and biomedical research to research scholars at academic universities and other nonprofits
Anne Wojcicki said that TTAM would “continue the mission of 23andMe to help people access, understand and benefit from the human genome”, including giving “consented individuals” the chance to “be part of making novel genetic discoveries”.
