Genetic testing firm 23andMe has been fined £2.31 million by the UK’s data protection watchdog for “serious security failings” after personal information of more than 155,000 UK users was accessed in a major cyber attack.
The Information Commissioner’s Office (ICO) said the DNA testing kit firm, which filed for bankruptcy in the US in March, failed to properly protect UK user data and also responded inadequately to the hack in 2023.
The penalty follows a joint investigation between the ICO and the Office of the Privacy Commissioner of Canada.
The attack, which took place between April and September 2023, saw personal information of 155,592 UK residents accessed by the hacker, potentially revealing names, birth years, some addresses, profile images, race, ethnicity, family trees and health reports.
The ICO said its investigation found 23andMe did not have extra verification steps for users to access and download their raw genetic data, while it also failed to have adequate authentication and verification measures in place, such as mandatory multi-factor authentication, secure password protocols or unpredictable usernames.
The firm also did not have effective systems in place to monitor, detect or respond to cyber threats targeting its customers’ sensitive information.
Information Commissioner John Edwards said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories and even health conditions of thousands of people in the UK.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information.
“Their security systems were inadequate, the warning signs were there, and the company was slow to respond.
“This left people’s most sensitive data vulnerable to exploitation and harm.”
#DNA #testing #firm #23andMe #fined #2.31m #security #failings
