23andMe 'failed to take basic steps' to safeguard customer data

The Information Commissioner's Office (ICO) has slapped a fine of £2.31 million on genetic testing company 23andMe for failing to protect customer data after a cyber attack.

The credential stuffing attack, which took place between April and September 2023, saw the exposure of the personal information of 155,592 UK residents.

The data exposed included names, birth years, location, profile images, race, ethnicity, family trees, and health reports.

At the time, the company was roundly criticized for appearing to blame users themselves for the breach. It wrote to customers saying they'd "failed to update their passwords following past security incidents unrelated to 23andMe", and had "negligently recycled" login credentials from other accounts that were already exposed.

The ICO, though, takes a different view.

"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number," said information commissioner John Edwards.

"23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm."

Specifically, the ICO found that 23andMe had failed to implement appropriate authentication and verification measures when customers logged in, including mandatory multi-factor authentication (MFA) and strong passwords.

It also failed to put appropriate security measures in place to deal with access to and the downloading of raw genetic data.

Nor did it have the right measures in place to monitor for, detect, and appropriately respond to cyber threats to its customers' personal information.

"Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information," said Philippe Dufresne, privacy commissioner of Canada, who collaborated with the ICO on the investigation.

"With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable."

As well as failing to protect customer data, 23andMe handled the attack badly, the authorities concluded. The hackers kicked off their credential stuffing attack in April 2023, ramping up efforts in May and attempting to initiate profile transfers in July. This didn't happen invisibly, with 23andMe's platform stopping working, leaving the company's users unable to access it.

However, said the ICO, "Despite 23andMe investigating this incident at the time, it failed to detect that this was part of a larger ongoing data breach."

It didn't start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

In August, indeed, it even dismissed a claim of data theft affecting over 10 million users as a hoax.

23andMe has since filed for Chapter 11 bankruptcy in the US, with a sale hearing set for today. The ICO said it was monitoring the situation closely, pointing out that the protections and restrictions of the UK GDPR continue to apply.