23andMe fined £2.31 million for failing to protect UK users’ data

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, duly exploiting re-used login credentials that were stolen from previous unrelated data breaches.

This resulted in unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.

The investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

Profoundly damaging breach

John Edwards, the UK’s Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories and even the health conditions of thousands of people in the UK. As one of those impacted told us: ‘Once this information is out there, it cannot be changed or reissued like a password or credit card number.’”

Edwards continued: “23andMe failed to take basic steps to protect this information. The company’s security systems were inadequate, the warning signs were there and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

Further, Edwards noted: “We carried out this investigation in collaboration with our Canadian counterparts. The process highlights the power of international co-operation in holding global companies to account. Data protection doesn’t stop at national borders and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, the Privacy Commissioner of Canada, observed: “Strong data protection must be a priority for organisations, notably so those that are holding sensitive personal information. With data breaches growing in terms of their severity and complexity, and ransomware and malware attacks rising sharply, any organisation that’s not taking steps to prioritise data protection and address these threats is increasingly vulnerable.”

Dufresne went on to comment: “Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources and expertise, we’re able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Summary of contraventions

The joint investigation into 23andMe revealed “serious security failings” at the time of the 2023 data breach. According to the ICO, the company breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols or unpredictable usernames.

The company also “failed to implement appropriate controls over access to raw genetic data and didn’t have effective systems in place to monitor, detect or respond to cyber threats targeting its customers’ sensitive information.”

23andMe’s response to the unfolding incident was, according to the ICO, “inadequate”. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023.

In August 2023, a claim of data theft affecting over ten million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July of that year. Another wave of credential stuffing followed in September 2023, but the company didn’t begin a full investigation until October 2023 when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then, asserts the ICO, did 23andMe confirm that a breach had occurred.

By the end of last year, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified in the ICO’s provisional decision.

Impact on consumers

The combination of personal information that could be found in 23andMe accounts (such as post codes, race, ethnic origin, familial connections and health data) could potentially be exploited by malicious actors for financial gain, surveillance or discrimination.

The ICO received 12 complaints from consumers. One of those individuals affected by the breach told the ICO: “I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you cannot change your genetic make-up when a data breach occurs.”

Another individual commented: “Disgusted that my DNA data could be out there in the wild and exposed to bad actors. Extremely anxious about what this could mean for my personal, financial and family safety in the future. Anxious about my 23andme connections who may have been impacted and what this might mean further down the line for myself.”