The Information Commissioner’s Office (ICO) has fined a US genetic testing company £2.31 million under the UK GDPR following a 2023 cyber-attack.
23andMe provides genetic testing for, amongst other things, health purposes and ancestry tracing. In 2023 a hacker carried out a credential stuffing attack on the company’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in unauthorised access to 155,592 UK residents’ personal data; potentially revealing sensitive data such as profile images, race, ethnicity, family trees and health reports. The type and amount of personal data accessed varied depending on the information included in a customer’s account.
The investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company failed to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.
The ICO also found that 23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023.
In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.
What happens now?
The ICO has made much of this penalty and the joint investigation conducted with the Office of the Privacy Commissioner of Canada. John Edwards, the Information Commissioner, said:
“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”
The fine comes after an ICO statement in March which said that a Notice of Intent had been issued of £4.59 million. An almost 50% reduction but, whatever the amount of the fine, the ICO is unlike to see a penny.
In April 23andMe filed for bankruptcy in the US courts. On Friday it said that it had agreed to the sale of its assets to a non-profit biotech organisation led by its
co-founder and former chief executive. It said the purchase of the company would come with binding commitments to uphold existing policies and consumer protections, such as letting customers delete their accounts, genetic data and opt out of research.
A bankruptcy court is scheduled to hear the case for its approval on Wednesday.
This case is also a good example of the extra territorial reach of the UK GDPR. Article 3(2)(a) UK GDPR as although 23andMe is not established within the UK, it processes the personal data of the affected UK Data Subjects for the purposes of offering goods or services to those individuals.
This is the third fine issued by the ICO in 2025. In April a £60,000 fine was issued to a law firm and in March an NHS IT supplier was fined £3million. Both also followed cyber-attacks.
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.
0 Comments