DNA testing agency 23andMe has been fined £2.31m by a UK watchdog over a knowledge breach in 2023 which affected hundreds of individuals.
The Data Commissioner’s Workplace (ICO) stated the corporate – which has since filed for chapter – didn’t put satisfactory measures in place to safe delicate person knowledge previous to the incident.
“This was a profoundly damaging breach that uncovered delicate private info, household histories, and even well being circumstances,” stated Data Commissioner John Edwards.
23andMe is ready to be offered to a brand new proprietor, TTAM Analysis Institute, which stated it had “made a number of binding commitments to reinforce protections for buyer knowledge and privateness.”
23andMe’s customers had been focused by what is named a “credential stuffing” assault in October 2023.
This noticed hackers use passwords uncovered in earlier breaches to entry 23andMe accounts for which individuals had used the identical or related credentials.
They had been capable of entry 14,000 particular person accounts – and, by way of these, obtain info referring to about 6.9m individuals linked to as potential relations on the positioning.
In line with the ICO, this included entry to private knowledge belonging to 155,592 UK residents, corresponding to names, 12 months of delivery, geographical info, profile pictures, race, ethnicity, well being stories and household bushes.
Stolen knowledge didn’t embrace DNA information.
“As a kind of impacted instructed us: as soon as this info is on the market, it can’t be modified or reissued like a password or bank card quantity,” stated Mr Edwards.
Attributable to its extra delicate nature, genetic knowledge is taken into account particular class knowledge below UK knowledge safety regulation and requires additional protections and safeguards.
Corporations controlling it ought to take into account having extra safety measures in place to assist safe it, in accordance with the ICO’s steering.
Its investigation – launched together with Canada’s privateness commissioner last June – discovered that 23andMe breached UK knowledge safety regulation by not having acceptable authentication and verification measures for patrons throughout its login course of.
This included not having obligatory multi-factor authentication to permit customers logging in to confirm themselves by way of extra means or gadgets.
The corporate additionally didn’t have safe password necessities or extra verification necessities for customers making an attempt to obtain uncooked genetic knowledge, it added.
Mr Edwards stated such failures and delays in resolving them “left individuals’s most delicate knowledge susceptible to exploitation and hurt”.
“Their safety methods had been insufficient, the warning indicators had been there, and the corporate was sluggish to reply,” he stated.
The corporate says it resolved the problems recognized through the ICO and the Workplace of the Privateness Commissioner of Canada (OPC)’s probe by the top of 2024.
Each watchdogs recently called on 23andMe to guard the delicate private knowledge of its clients amid its chapter proceedings.
The corporate was initially set to be offered to biotechnology firm Regeneron Prescribed drugs in a $256m deal.
However 23andMe said on Friday it had agreed to the sale of its belongings to TTAM Analysis Institute – a non-profit biotech organisation led by its co-founder and former chief government Anne Wojcicki.
It stated the acquisition of the corporate for a brand new value of $305m would include binding commitments to uphold current insurance policies and client protections, corresponding to letting clients delete their accounts, genetic knowledge and choose out of analysis.
A chapter court docket is scheduled to listen to the case for its approval on Wednesday.
