A UK watchdog has fined genetic testing company 23andMe £2.31m over a “profoundly damaging” cyber attack that exposed the personal information of seven million people in the UK. The data breach, which occurred in 2023, saw hackers steal family trees, health reports, and sensitive information such as addresses and dates of birth. The company’s inadequate security measures left users’ data vulnerable to exploitation, with many accusing the company of failing to protect their most sensitive information.
The Information Commissioner’s Office (ICO) stated that 23andMe’s repeated failures to protect extremely sensitive data had led to this severe punishment. The fine is the most serious punishment the ICO can impose and reflects the significant harm caused by the breach. Despite the attack starting in April 2023, 23andMe did not act until October of that year, when an employee discovered stolen data was being advertised for sale on Reddit.
The company’s troubles continued, with 23andMe filing for bankruptcy in March this year due to its inability to rebuild trust after the hack. The genetic testing company will now be sold to 23andMe’s original co-founder Anne Wojcicki and her non-profit TTAM for $305m (£225m). However, a recent US Senate exchange raised concerns over sensitive data users have shared with 23andMe, with Senator Josh Hawley accusing the company of lying about deleting genetic data from its databases.
The fine is unlikely to provide significant redress to UK victims, as it will go directly to the state. Solicitor Alex Lawrence Archer noted that class action lawsuits for data breaches can “improve and increase accountability” but also help individuals affected by the hack receive compensation. As genetic testing companies continue to grow, experts advise users to carefully consider handing over their genetic data, as it is a permanent step with significant consequences.
Source: https://news.sky.com/story/23andme-fined-millions-by-uk-watchdog-over-profoundly-damaging-cyber-attack-13384880