23andFineMe: ICO fines DNA testing company millions under GDPR data breach

The Information Commissioner’s Office (the “ICO”) has fined DNA testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect UK users’ personal data, after a data breach which occurred in 2023. The investigation was undertaken by the ICO and its Canadian counterpart, the Office of the Privacy Commissioner of Canada.

The type of data breach 23andMe suffered was a “credential stuffing” attack, in which cyber-criminals use previously stolen username and password combinations to gain access to user accounts on different websites. Credential stuffing can be incredibly effective for cyber-criminals due to the volume of people who use the same password across multiple sites.

23andMe’s systems were initially infiltrated in April 2023, with the first period of extensive credential stuffing occurring in May 2023. In August 2023, 23andMe dismissed a claim of data theft affecting 10+ million users as a hoax. However, it was later revealed that they conducted isolated investigations into unauthorised access to their systems in July 2023. There was an additional sweep of credential stuffing in September 2023. 23andMe did not start a full investigation until October 2023, when an employee discovered that the stolen data was advertised for sale on Reddit. But the £2.31m question is, what data was stolen?

The hackers involved were able to access 14,000 individual accounts – providing them with information relating to approximately 6.9 million people linked to those accounts through possible relations on the website. The ICO confirmed that they were able to access the personal data of 155,592 UK residents, including names, year of birth, race, ethnicity, geographical information, health reports, family trees and profile images.

23andMe holds an abundance of personal data from their users, particularly “special category data”. Special category data is defined in Article 9 of UK GDPR as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. Any organisation processing special category data is subject to higher scrutiny from the ICO as they are encouraged to have additional security measures in place to help keep the data secure.

23andMe was found to have breached UK data protection law due to their lack of authentication and verification mechanisms during the login process to protect their users’ data. This included not having mandatory multi-factor authentication for users to verify themselves on additional devices or through the use of one-time passwords. Information Commissioner, John Edwards stated: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions”.

If your business suffers a data breach you may have to report it to the ICO if personal data is compromised. If there is a personal data breach, you are obliged to report this to the ICO within 72 hours of becoming aware of it, unless you can demonstrate that it is not likely to pose a risk to individuals’ rights and freedoms.

If you require any data protection advice, contact our Corporate, Commercial & Regulatory team.