ICO 23andMe investigation a reminder of data protection importance

The ICO fined genetic testing company 23andMe £2.31 million (153 pages/3.2 MB) for failing to adequately protect the sensitive personal data of over 155,000 UK users. The penalty follows a joint investigation with the Office of the Privacy Commissioners of Canada amid growing international concern over the security of genetic biometric data.

David McIlwaine, cyber security expert at Pinsent Masons, said: “The monetary penalty notice and fine levied by the ICO illustrates that 23andMe’s IT security posture was insufficient at the time of attack. The investigation and subsequent fine should remind companies handling sensitive persona data, particularly in the health and biotech sectors, that failure to implement adequate cybersecurity measures will not be tolerated.”

The fine stems from a large-scale cyberattack that occurred between April and September 2023. Hackers exploited reused login credentials – previously stolen in unrelated data breaches – to gain unauthorised access to 23andMe accounts through a method known as credential stuffing. Once inside, attackers were able to access a trove of sensitive information, including names, birth years, locations, profile images, racial and ethnic backgrounds, family trees, and even health reports.

Credential stuffing attacks are common, and involve attackers re-using passwords gleaned from other attacks, exploiting the common habit of individuals reusing the same login details across different accounts, including work accounts. The situation is often managed by requiring workers to have specific, strong passwords which are changed periodically, having in place multi-factor authentication – which requires a second verification source – and ensuring that usernames are not obvious.

McIlwaine said: “23andMe failed to have these basic procedures in place, despite the special category of data that it was processing. This oversight left users’ most intimate and immutable data exposed to exploitation.”

Consequently, the ICO found that the company was in breach of UK General Data Protection Regulations (GDPR), which requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The ICO criticised the company’s slow response and inadequate security systems, stating that “the warning signs were there”, but 23andMe failed to act, leaving users more vulnerable to exploitation and harm. Further, the ICO emphasised that the nature of the compromised data – genetic and familial information – made the breach particularly serious, as such data is not only deeply personal but also permanent.

McIlwaine said: “It is noteworthy that the fine has been levied against 23andMe, Inc, a US corporation. The company settled a $30m class action last year related to the incident and reported a deficit of $2.4 billion, stating that there was substantial doubt about the company’s ability to continue as a going concern, certain affiliates have filed for bankruptcy. Nevertheless, the ICO levied the fine of £2.31m after concluding that a monetary penalty remained appropriate in order to provide an effective, proportionate and dissuasive response to the infringements.”

“The ICO states that it did take into account the company’s current and significantly deteriorated financial position. We therefore conclude that the fine should have been significantly higher. We wait to see what enforcement action the ICO may take in relation to the fine,” he said.