ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data

FOR IMMEDIATE RELEASE

The Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

What happened

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer's account.

Our investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

John Edwards, UK Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, Privacy Commissioner of Canada, said: “Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Summary of the contraventions

The joint investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.

23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023. In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified in our provisional decision.

You can read the full details of the incident in our monetary penalty notice.

Impact on consumers

The combination of personal information that could be found in 23andMe accounts, such as post codes, race, ethnic origin, familial connections, and health data could potentially be exploited by malicious actors for financial gain, surveillance or discrimination. The ICO received 12 complaints from consumers. Some of the people affected by the breach told us the following:

“I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you can't change your genetic makeup when a data breach occurs.”

“Disgusted that my DNA data could be out there in the wild and been exposed to bad actors. Extremely anxious about what this could mean to my personal, financial and family safety in the future. Anxious about my 23andme connections, who may have been impacted and what this may mean further down the line for me.”

Advice for the public

The responsibility to keep people’s information secure lies first and foremost with companies that collect and use personal information, and they have a legal duty to take this responsibility seriously.

But there are also steps people can take to protect their personal information, for example: use strong, unique passwords for each account; enable multi-factor authentication wherever possible; and remain vigilant against phishing emails or messages that reference personal or genetic information.