The genetic testing company 23andMe has been fined £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users.

Specifically for a large-scale cyber-attack that took place in 2023, the penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

Credential Stuffing

In the attack, an attacker carried out a credential stuffing attack on 23andMe’s platform, for several months, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports.

The ICO’s investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data. This was deemed to be a breach of UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames.

The commissioners also said that 23andMe’s response to the unfolding incident was inadequate, as after a credential stuffing attack in April 2023, it was three months before investigations into unauthorised activity on its platform were conducted.

Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

Profoundly Damaging

John Edwards, UK Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK.

“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.”

Commenting, Adam Casey, director of tmc3, a Qodea Company, said that the financial penalty facing 23andMe is a stark reminder of the real-world costs of poor cyber-hygiene and the failings highlighted by the ICO underline just how critical identity and access management is to cybersecurity.

“To avoid making the same mistakes, businesses must identify high-risk users and enforce strong controls like MFA,” he said. “They also need proactive defence through robust security controls, regular patching, vulnerability management, and comprehensive employee training. Additionally, effective monitoring and detection capabilities are essential to identify breaches early and minimise damage.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.