ICO fines 23andMe £2.31 million for failing to protect UK users’ genetic data

FOR IMMEDIATE RELEASE

The Information Commissioner’s Office (ICO) has fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

What happened

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer's account.

Our investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

John Edwards, UK Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, Privacy Commissioner of Canada, said: “Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Summary of the contraventions

The ICO found that 23andMe breached UK data protection law by:

• Failing to put in place appropriate authentication and verification measures as part of its customer login process, including, but not limited to, mandatory multi-factor authentication (MFA), secure password requirements, or unpredictable usernames.
• Failing to put in place appropriate security measures that focused on the access to and download of raw genetic data.
• Failing to put in place measures to monitor for, detect and appropriately respond to cyber threats to its customers’ personal information.

Additionally, 23andMe’s response to the incident was inadequate and they missed many opportunities to act, including:

• The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023.
• In July 2023, the hacker used a computer programme to log into a free account with no associated DNA sample over a million times throughout the course of a single day. This was part of an unsuccessful attempt to initiate “profile transfers”. Due to this intense volume of logins during the course of a single day, 23andMe’s platform stopped working and their users were unable to access the platform.
• Later in July 2023, there was a further attempt by the hacker to initiate profile transfers in 400 separate accounts. Despite 23andMe investigating this incident at the time, it failed to detect that this was part of a larger ongoing data breach.
• In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax by 23andMe.
• In September 2023, the hacker carried out a second intense period of credential stuffing activity.

Despite all this activity, the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified in our provisional decision.

You can read the full details of the incident in our monetary penalty notice.

Legal requirements and our guidance

The law requires organisations to take proactive steps to protect themselves against cyber attacks. Our guidance recommends using two-factor or multi-factor authentication wherever possible, particularly when sensitive personal information is being collected or processed. In addition, organisations should regularly scan for vulnerabilities and instal the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations. Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.