UK Fines 23andMe $3 Million Over 2023 Mega Breach

The UK’s data privacy watchdog has levied a £2.31 million ($3.1 million) fine on genetic testing company 23andMe for failing to take appropriate measures to protect the personal information of its users, following a large-scale data breach in 2023.

“We have fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023,” reads the strongly worded opening statement from the  Information Commissioners’ Office (ICO).

The penalty follows a joint investigation by the ICO and the Office of the Privacy Commissioner of Canada (OPC) which uncovered serious security failings at the time of the incident.

A credential stuffing attack

According to the ICO, between April and September 2023, a hacker carried out a “credential stuffing attack” on 23andMe’s platform, exploiting reused login credentials compromised in previous, unrelated data breaches.

Read: 23andMe says users’ poor cyber hygiene to blame for data breach

“This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports,” the ICO outlines.

The type and amount of information accessed varied depending on the data included in a customer's account.

The ICO press release only focuses on British victims, but the full toll is said to be almost 7 million compromised accounts.

As elaborated by The Register, only around 14,000 accounts were initially accessed by the threat actor, representing a meager 0.1 percent of all registrants on the ancestry platform.

However, because many of those compromised clients had opted in to 23andMe's popular DNA Relatives feature, the attacker could also access the data of their suspected relatives around the world – leading to the compromise of around 6.9 million clients.

Contraventions

The ICO’s £2.31 million fine was considerably reduced from the initial proposed fine of £4.59 million ($6.22 million) – this, despite the investigation revealing “serious security failings at the time of the 2023 data breach,” including:

·      Breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, and unpredictable usernames.

·      Failed to implement appropriate controls over access to raw genetic data

·      Lacked effective systems to monitor, detect, or respond to cyberthreats targeting its customers’ sensitive information.

·      Response to the unfolding incident was inadequate – another wave of credential-stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when an employee discovered that the stolen data had been advertised for sale on Reddit, with the ICO stressing: “Only then did 23andMe confirm that a breach had occurred.”

The ICO acknowledges that, by the end of 2024, security improvements made by 23andMe were “sufficient to bring an end to the breaches identified in our provisional decision.”

Impact on consumers and advice

The UK’s privacy regulator warns that the combination of personal information in 23andMe accounts (postal codes, race, ethnic origin, familial connections, and health data) can be exploited for financial gain, surveillance, and discrimination.

In a formal complaint filed with the ICO, one of the people affected by the breach appropriately pointed out that, “Unlike usernames, passwords and e-mail addresses, you can't change your genetic makeup when a data breach occurs.”

The ICO also urges netizens to use strong, unique passwords for each account, enable multi-factor authentication wherever possible, and watch out for phishing emails or messages that reference your personal information.

Anyone affected by a data breach should consider a data monitoring service. Bitdefender Digital Identity Protection lets you know if your data has been compromised or leaked online, what risks you face, and how to protect yourself.

If you’re a 23andMe customer, past or present, watch out for unsolicited communications citing your personal data. When in doubt about a suspicious text, phone call, or social media interaction, use Scamio, our free scam-fighting bot.

Consider using a security solution on all your devices for peace of mind.

You may also want to read:

Victoria's Secret Exposed? Retailer Takes Down Website to Address ‘Security Incident’

US Healthcare Giant Tells Patients to Watch Out Following Cyberattack

Phone Scammers Target Ohio Residents Following Cyberattack on Local Health System

What to Do if Your Data Gets Caught in a Breach