The genetic testing firm 23AndMe has been penalized with a fine exceeding £2.3 million following a significant cyberattack in 2023, which compromised the personal information of over 150,000 UK residents.
Sensitive data, including family tree details, health reports, names, and postal codes, were among the information breached from the California-based company. The UK Intelligence Commission’s office confirmed the breach after employees discovered that stolen data was being offered for sale on the social media platform Reddit.
Intelligence Commissioner John Edwards referred to the incidents during the summer of 2023 as “a deeply damaging violation.” The data breach affecting the UK was just a fraction of a larger security incident that compromised data from 7 million individuals.
23AndMe offers DNA screening for £89 through a saliva-based kit, allowing users to trace their ancestry in terms of ethnicity and geographical origin. However, many customers sought bankruptcy protection in the US in March, requesting the removal of their DNA data from the company’s records following the hack.
The penalty coincided with a $355 million acquisition bid for the company led by former CEO Anne Wassicki.
Edwards noted that the data breaches included sensitive personal information, family histories, and even health conditions of numerous individuals in the UK.
“As one affected individual remarked, once this information is out there, it cannot be altered or replaced like a password or credit card number,” he added.
UK data protection regulators found that 23AndMe did not take fundamental steps to safeguard user information, revealing inadequacies in its security system, including a failure to implement stricter user authentication measures.
Hackers exploited a widespread weakness due to the reuse of passwords compromised in unrelated data breaches. They employed automated tools in a method called “credential stuffing.”
Edwards remarked, “The warning signs were evident, and the company’s response was sluggish. This has made individuals’ most sensitive data vulnerable to exploitation and harm.”
After the newsletter promotion
A company spokesperson stated that 23AndMe has taken various measures to enhance security for individual accounts and data. They have made a firm commitment to improving the protection of customer data and privacy in connection with an initiative that will benefit 23AndMe, a nonprofit associated with Wojcicki, the TTAM Research Institute.
Fines are part of the substantial penalties imposed on various organizations by ICOs in recent years due to their inability to secure data from hacking and ransomware incidents. In 2022, a fine levied against construction firms exceeded £4.4 million when staff data was compromised, including contact information, bank details, sexual orientation, and health data.
In March of this year, NHS IT supplier Advanced Computer Software Group faced a fine of nearly £3.1 million for endangering the personal information of approximately 80,000 individuals.
Source: www.theguardian.com