Recommended reading

UK watchdog hits 23andMe with multi-million pound fine over 2023 data breach

News
By published

23andMe failed to implement appropriate security measures

23andMe
(Image credit: Nevodka / Shutterstock)
  • The ICO has issued 23andMe with £2.31 million ($3.1 million) fine
  • Fine is punishment for failings following 2023 data breach
  • An investigation found 'serious security failings'

The British data protection watchdog, the Information Commissioner’s Office (ICO) has issued a £2.31 million fine to 23andMe for “failing to implement appropriate security measures to protect the personal information of UK users”

This follows a 2023 cyberattack in which hackers accessed 23andMe personal user data.

The breach only affected 0.1% of the company's customer base, roughly 14,000 individuals, but thanks to the sensitive nature of the information 23andMe holds, hackers were able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share.”

Save up to 68% on identity theft protection for TechRadar readers!

Save up to 68% on identity theft protection for TechRadar readers!

TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.

Preferred partner (What does this mean?)

View Deal

Keeping secure

The joint investigation, carried out between the ICO and Canadian Privacy Commissioner revealed ‘serious security failings’ after the breach, calling 23andMe’s actions ‘inadequate’.

After the hackers carried out their credential stuffing attack, the company waited months until starting a full investigation, only confirming the breach after an employee discovered stolen data advertised for sale on Reddit.

This breach put those affected at risk, not just for the typical identity theft and fraud, but also for seriously sophisticated social engineering attacks. If your genetic or family history is sold to a criminal, it could be leveraged against you.

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” confirmed John Edwards, UK Information Commissioner.

“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”

An example of this could be a “family member” reaching out and asking for more information about yourself, or a “medical company” contacting you about an existing genetic health condition. If you’re affected by this breach, be sure to be extra vigilant and cautious about any unexpected communications you receive.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm,” Edwards confirmed.

You might also like

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.