Peter A Clarke

Since the Genomic testing company 23andMe filed for bankruptcy (and even before then) it has been consistently in the news. There was profound concern about genetic data of millions of people being potentially sold to third parties in any liquidation. The initial calls for customers to retrieve their data escalated to litigation against 23andMe. As it turned out the co founder and former CEO has purchased nearly all of the company assets for $305 million through a non profit TTAM Research Institute. The problems with 23andMe predate its financial woes. The UK Information Commissioner’s Office has recently issued a fine of $305 million pounds against the company for filing to implement appropriate security measures following a cyber attack in 2023. The ICO and the Canadian Privacy Commissioner undertook a combined investigation into 23andMe’s systems.  

The media release provides:

We have fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

What happened

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.

Our investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

John Edwards, UK Information Commissioner, said:

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, Privacy Commissioner of Canada, said:

“Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Summary of the contraventions

The joint investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.

23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023. In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified in our provisional decision.

You can read the full details of the incident in our monetary penalty notice.

Impact on consumers

The combination of personal information that could be found in 23andMe accounts, such as post codes, race, ethnic origin, familial connections, and health data could potentially be exploited by malicious actors for financial gain, surveillance or discrimination. The ICO received 12 complaints from consumers. Some of the people affected by the breach told us the following:

“I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you can’t change your genetic makeup when a data breach occurs.”

“Disgusted that my DNA data could be out there in the wild and been exposed to bad actors. Extremely anxious about what this could mean to my personal, financial and family safety in the future. Anxious about my 23andme connections, who may have been impacted and what this may mean further down the line for me.”

Legal requirements and our guidance

The law requires organisations to take proactive steps to protect themselves against cyber attacks. Our guidance recommends using two-factor or multi-factor authentication wherever possible, particularly when sensitive personal information is being collected or processed. In addition, organisations should regularly scan for vulnerabilities and instal the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations. Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Advice for the public

The responsibility to keep people’s information secure lies first and foremost with companies that collect and use personal information, and they have a legal duty to take this responsibility seriously.

But there are also steps people can take to protect their personal information, for example: use strong, unique passwords for each account; enable multi-factor authentication wherever possible; and remain vigilant against phishing emails or messages that reference personal or genetic information.

The regulatory structure applying in the United Kingdom differs from Australia, sometimes quite significantly.  That said, both have similar approaches when it comes to reviewing and, where appropriate, penalising breaches of security.  It is therefore relevant to consider Penalty Notices issued by the ICO.  The ICO has had longer and more comprehensive history in issuing Penalty Notices and a developed methodology. The number of Enforceable Undertakings in Australia has been relatively modest and are not nearly as comprehensive as the United Kingdom and the United States of America. That is likely to change over time with the increased powers and size of penalties under the Privacy Act 1988. 

The Penalty Notice is 153 pages long.  It is one of the most detailed written assessment of the failures but also, very helpfully, what is best practice.  It is a very useful resource.  The relevant takeaways of the Penalty Notice are:

• the failures in security were identified as failures to implement:
  • appropriate authentication and verification measures as part of its customer login process, including, but not limited to, mandatory multi-factor authentication
  • appropriate security measures specifically focused on the access to, and download of, health/genetic data
  • measures which enabled 23andMe to monitor for, detect and appropriately respond to threats to its customers’ personal data
  • an appropriate process for regularly testing and assessing the effectiveness of its technical and organisational security measures
• the failures allowed the cyber attacker to perpetrate credential stuffing attack over the course of at least five months, during which they obtained access to personal data relating to 155,592 UK-based customers of 23andMe.  The personal data exfiltrated by the threat actor was offered for sale on a number of online forums in August and October 2023, with the relevant posts indicating that the threat actor had targeted 23andMe customers according to their racial and ethnic background [13]
• the harm which arose, or could have arisen, from the Infringements, including feelings of extreme anxiety about the consequences for their personal, financial and family safety and concerns that the personal data accessed  could be used to target specific groups [15]
• the seriousness of the breach was aggravated by:
  • 23andMe’s failure to identify the Data Breach at an earlier stage, despite multiple indications of anomalous and unauthorised activity
  • deficiencies in the content of 23andMe’s notifications of the Data Breach to the Commissioner
• the cyber attackers accessed personal information relating to 323 UK individuals [117]
• regarding deficiencies in the password policies the ICO critisised that they:
  • only included a minimum character requirement of eight characters
  • did not include password complexity requirements
  • contained insufficient measures to prevent the use of common words or known compromised credentials
  • customers could reset their passwords to any previously used passwordcustomers could reset their passwords to any previously used password [142]
  • while warning clients about reusing passwords 23andMe did not direct them to resources when creating or changing passwords [143]
  • failed to maintain a comprehensive password “deny list” of commonly used words or phrases which could not be used by customers when creating their passwords, nor implement measures to assist customers to choose strong passwords [144]
• 23andMe’s reliance upon the provision of customer credentials as the sole customer authentication measure supports the conclusion that it would have been appropriate for 23andMe to have implemented an alternative system of credential checks which utilised a far more extensive database of known compromised credentials as part of its technical security measures designed to protect its customers against the risk of brute force attacks such as credential stuffing [150]
• the failure to mandate MFA was a failure to implement appropriate technical measures to ensure the ongoing confidentiality and integrity of personal data noting:
  • MFA is one of the most effective ways of providing additional protection to a password.  MFA is a strong authentication method which requires two or more factors to gain access to a network, system or application. Each factor must come from a different category of the three recognised authentication methods (i.e. knowledge, possession and inheritance or traits) [153]
  • it prioritised customer convenience and ease of use of the Platform over the security of customer accounts [157]
• in finding that 23andMe failed to operate any additional verification steps prior to customers accessing or downloading Raw Genetic Data the ICO stated:
  • this failure exposed the Raw Genetic Data of customers whose accounts had been credential stuffed to unauthorised access and processing which the ICO regards this failure as particularly significant in light of the lack of default technical security measures applied during the login process at the time of the Data Breach, particularly the absence of mandatory MFA [173]
  • because of a problem with the system the log entry generated when Raw Genetic Data was downloaded incorrectly recorded an internal IP Address rather than the IP address associated with the customer who initiated the download request. As a result of this misconfiguration, 23andMe was not able to establish which IP addresses were being used to initiate each download of Raw Genetic Data
• regarding the failure to to prepare for a credential stuffing attack the ICO stated:
  • there had been a failure to implement an appropriate process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of its processing systems and services such as
    • vulnerability scanning
    • penetration testing
• regarding the failure to account for the threat of credential stuffing attacks within its vulnerability assessments and penetration tests resulted in a failure to test the robustness of the security measures integrated into its login process, evaluate the effectiveness of the measures employed to detect unauthorised activity on customer accounts, and improve the speed and effectiveness of its incident response processes, all of which left the Platform more vulnerable to a credential stuffing attack.  That was particularly so given increase in credential stuffing attacks in recent years.
• regarding the failure to implement appropriate and effective measures to monitor, detect and respond to unauthorised activity the ICO stated the rate-limiting rules failed to detect and alert 23andMe  to the high volume of both successful and unsuccessful loginattempts by the threat actor and specifically found it failed to:
  • implement a system of device or connection monitoring or suspicious activity alerts
  • implement effective rate-limiting rules and alerts;
  • monitor for and detect anomalous customer activity; and
  • implement an appropriate organisational response to evidence of a personal data breach.