UK ICO imposes £2.3m fine on 23andMe for data breach

UK ICO has fined 23andMe £2.3m for security failures in data breach. (Photo: nevodka/Shutterstock)

The UK Information Commissioner’s Office (ICO) has levied a £2.31m fine against genetic testing company 23andMe for inadequate security measures following a cyberattack in 2023. The ICO, in collaboration with the Office of the Privacy Commissioner of Canada, conducted a joint investigation that revealed significant security shortcomings.

The breach, occurring between April and September 2023, involved a credential stuffing attack that exploited reused login credentials from previous data breaches. This led to unauthorised access to personal information of 155,592 UK residents, including names, birth years, locations, and genetic data. The extent of data accessed varied depending on the information stored in each user’s account.

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” said the Information Commissioner, John Edwards. “As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”

Edwards went on to castigate 23andMe for failing to take basic steps to protect the personal data of its customers. “Their security systems were inadequate, the warning signs were there, and the company was slow to respond,” said the commissioner. “This left people’s most sensitive data vulnerable to exploitation and harm. We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account.”

Investigation uncovers lack of robust authentication protocols

The investigation uncovered that 23andMe did not implement additional verification steps for users seeking to access and download their raw genetic data. The company failed to adopt essential security protocols, including mandatory multi-factor authentication, secure password practices, and unique usernames. Furthermore, it lacked effective systems for monitoring, detecting, and responding to cyber threats targeting sensitive customer information.

Despite early indications of unauthorised activity in July 2023, 23andMe dismissed a claim in August 2023 that data affecting over 10 million users had been stolen, labelling it a hoax. The company had conducted isolated investigations into the unauthorised activity, but only initiated a comprehensive investigation in October 2023. This was prompted by a 23andMe employee discovering that the stolen data had been advertised for sale on Reddit. The breach was only confirmed after this discovery.

By the end of 2024, 23andMe had made sufficient security improvements to address the breaches identified in the ICO’s provisional decision. These enhancements are aimed at preventing future incidents and aligning with UK data protection laws.

In a similar incident, the ICO fined Advanced Computer Software Group £3.07m in March this year for a ransomware attack in 2022 that compromised the personal data of 79,404 individuals, including NHS patients. The attack targeted Advanced’s health and care subsidiary through a customer account lacking multi-factor authentication, disrupting services such as NHS 111 and hindering access to patient records.

Adam Casey, the director of cybersecurity consultancy tmc3, said that the episode highlighted important lessons for firms handling large volumes of highly sensitive personal data. “To avoid making the same mistakes, businesses must identify high-risk users and enforce strong controls like MFA,” said Casey. “They also need proactive defence through robust security controls, regular patching, vulnerability management, and comprehensive employee training. Additionally, effective monitoring and detection capabilities are essential to identify breaches early and minimise damage.”

Read more: UK ICO fines Advanced Computer Software £3m after NHS data breach