Uk Watchdog Fines 23andme For 'profoundly Damaging' Data Breach

DNA testing patient 23andMe has been fined £2.31m by a UK watchdog complete a information breach successful 2023 which affected thousands of people.

The Information Commissioner's Office (ICO) said nan institution - which has since revenge for bankruptcy - grounded to put capable measures successful spot to unafraid delicate personification information anterior to nan incident.

"This was a profoundly damaging breach that exposed delicate individual information, family histories, and moreover wellness conditions," said Information Commissioner John Edwards.

23andMe is group to beryllium sold to a caller owner, TTAM Research Institute, which said it had "made respective binding commitments to heighten protections for customer information and privacy."

23andMe's users were targeted by what is known arsenic a "credential stuffing" onslaught successful October 2023.

This saw hackers usage passwords exposed successful erstwhile breaches to entree 23andMe accounts for which group had utilized nan aforesaid aliases akin credentials.

They were capable to entree 14,000 individual accounts - and, done those, download accusation relating to astir 6.9m group linked to arsenic imaginable relations connected nan site.

According to nan ICO, this included entree to individual information belonging to 155,592 UK residents, specified arsenic names, twelvemonth of birth, geographical information, floor plan images, race, ethnicity, wellness reports and family trees.

Stolen information did not see DNA records.

"As 1 of those impacted told us: erstwhile this accusation is retired there, it cannot beryllium changed aliases reissued for illustration a password aliases in installments paper number," said Mr Edwards.

Due to its much delicate nature, familial information is considered typical class information nether UK information protection rule and requires further protections and safeguards.

Firms controlling it should see having further information measures successful spot to thief unafraid it, according to nan ICO's guidance.

Its investigation - launched on pinch Canada's privateness commissioner last June - recovered that 23andMe breached UK information protection rule by not having due authentication and verification measures for customers during its login process.

This included not having mandatory multi-factor authentication to let users logging successful to verify themselves done further intends aliases devices.

The institution besides did not person unafraid password requirements aliases much verification requirements for users trying to download earthy familial data, it added.

Mr Edwards said specified failures and delays successful resolving them "left people's astir delicate information susceptible to exploitation and harm".

"Their information systems were inadequate, nan informing signs were there, and nan institution was slow to respond," he said.

The institution says it resolved nan issues identified during nan ICO and nan Office of nan Privacy Commissioner of Canada (OPC)'s probe by nan extremity of 2024.

Both watchdogs recently called connected 23andMe to protect nan delicate individual information of its customers amid its bankruptcy proceedings.

The institution was initially group to beryllium sold to biotechnology institution Regeneron Pharmaceuticals successful a $256m deal.

But 23andMe said connected Friday it had agreed to nan waste of its assets to TTAM Research Institute - a non-profit biotech organisation led by its co-founder and erstwhile main executive Anne Wojcicki.

It said nan acquisition of nan institution for a caller value of $305m would travel pinch binding commitments to uphold existing policies and user protections, specified arsenic letting customers delete their accounts, familial information and opt retired of research.

A bankruptcy tribunal is scheduled to perceive nan lawsuit for its support connected Wednesday.