23andMe, a prominent genetic testing company, has been fined £2.31 million by a UK watchdog for failing to protect sensitive personal data following a significant data breach. In the first week of October 2023, hackers perpetrated a massive “credential stuffing” attack. They used passwords from previous data hacks to hijack user accounts. In this breach, the names, email addresses, postal addresses, and phone numbers of about 6.9 million people not directly connected to 23andMe users’ personal accounts were exposed.
In June 2023, the Information Commissioner’s Office (ICO) of the UK did step in, announcing an investigation into 23andMe. They partnered with Canada’s privacy commissioner upon learning of the breach. The company did not have adequate authentication and identity proofing requirements for its customers when logging in. This failure was a breach of UK data protection law. As a consequence, 14,000 unique accounts were illegally breached by cybercriminals.
As genetic data is considered special category data in UK law, this requires additional protections and safeguards to be involved. Information Commissioner John Edwards emphasized the severity of the breach, stating, “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions.” He noted the company’s security practices were totally deficient. Moreover, he faulted its lackadaisical approach in responding to the warning signs that preceded the breach.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.” – John Edwards
The consequences of this breach go beyond the financial settlement received. 23andMe is still working through bankruptcy proceedings, with a court set to hear the case for approval any day now. Last week, the company’s valuation took a $1.9b hit. Now, discussions of a new acquisition are in the works, looking to a much lower price tag of $305 million. This new purchase would be subject to enforceable promises to maintain current consumer safeguards and guidelines.
These pledges would make it easier for customers to delete their accounts and genetic data, and opt-out of research programs. 23andMe continues to navigate its financial future, protecting customers’ highly sensitive personal genetic information should always come first.