UK watchdog hits 23andMe with multi-million pound fine over 2023 data breach
23andMe fined £2.31 million for failing to implement appropriate security measures.
- The ICO has issued 23andMe with £2.31 million ($3.1 million) fine
- Fine is punishment for failings following 2023 data breach
- An investigation found 'serious security failings'
The British data protection watchdog, the Information Commissioner’s Office (ICO) has issued a £2.31 million fine to 23andMe for “failing to implement appropriate security measures to protect the personal information of UK users”
This follows a 2023 cyberattack in which hackers accessed 23andMe personal user data.
The breach only affected 0.1% of the company's customer base, roughly 14,000 individuals, but thanks to the sensitive nature of the information 23andMe holds, hackers were able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share.”
Save up to 68% on identity theft protection for TechRadar readers!
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.
Preferred partner (What does this mean?)View Deal
Keeping secure
The joint investigation, carried out between the ICO and Canadian Privacy Commissioner revealed ‘serious security failings’ after the breach, calling 23andMe’s actions ‘inadequate’.
After the hackers carried out their credential stuffing attack, the company waited months until starting a full investigation, only confirming the breach after an employee discovered stolen data advertised for sale on Reddit.
This breach put those affected at risk, not just for the typical identity theft and fraud, but also for seriously sophisticated social engineering attacks. If your genetic or family history is sold to a criminal, it could be leveraged against you.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” confirmed John Edwards, UK Information Commissioner.
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”
An example of this could be a “family member” reaching out and asking for more information about yourself, or a “medical company” contacting you about an existing genetic health condition. If you’re affected by this breach, be sure to be extra vigilant and cautious about any unexpected communications you receive.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm,” Edwards confirmed.
You might also like
- Take a look at our picks for the best malware removal software around
- Check out our choice for best antivirus software
- Hackers claim 64 million leaked T-Mobile records, but it denies breach
