ICO issues £2.31m GDPR fine to 23andMe over 2023 data breach

The Information Commissioner's Office (ICO) has issued a £2.31 million monetary penalty to the genetic testing company 23andMe for its failure to implement appropriate security measures to protect the personal information of its UK customers—an infringement of Articles 5(1)(f) and 32(1)(b) and (d) under the UK General Data Protection Regulation (GDPR).

The final decision was announced after the ICO issued a notice of intent to fine the company £4.59 million and a preliminary enforcement notice following a joint investigation with the Office of the Privacy Commissioner of Canada over a large-scale cyberattack in 2023. 

The investigation revealed that the company lacked appropriate authentication and verification measures, including mandatory multi-factor authentication and secure password protocols. The company also failed to implement suitable controls for accessing and downloading raw genetic data and did not have effective systems in place to monitor, detect, and respond to cyber threats.

In exploiting the weaknesses, a cyber attacker used a technique known as credential stuffing to gain unauthorised access to personal data belonging to 155,592 UK and 320,000 Canadian residents out of a total of 7 million people affected globally. Among the data that was potentially accessible were names, birth years, partial address information, profile images, race, ethnicity, family trees and health reports. 

Additional reporting by The Guardian and IAPP and Pinsent Masons.Pinsent Masons