| Link(s): | 23andMe fined £2.31 million for failing to protect UK users’ genetic data | ICO 23andMe | ICO 23andMe – Penalty Notice (Redacted Non-Confidential) |
Context
The ICO has published an earlier press release and a redacted Penalty Notice setting out the reasons for fining genetic testing company 23andMe £2.31m for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023. The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.
Key points to note and next actions
- The Penalty Notice is 158 pages long.
- Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.
- This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.
- The investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.