UK watchdog fines 23andMe for 'profoundly damaging' data breach

UK watchdog fines 23andMe for 'profoundly damaging' data breach 5 hours ago Share Save Liv McMahon Technology reporter Share Save Getty Images DNA testing firm 23andMe has been fined £2.31m by a UK watchdog over a data breach in 2023 which affected thousands of people. The Information Commissioner's Office (ICO) said the company - which has since filed for bankruptcy - failed to put adequate measures in place to secure sensitive user data prior to the incident. "This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions," said Information Commissioner John Edwards. 23andMe is set to be sold to a new owner, TTAM Research Institute, which said it had "made several binding commitments to enhance protections for customer data and privacy." 23andMe's users were targeted by what is known as a "credential stuffing" attack in October 2023. This saw hackers use passwords exposed in previous breaches to access 23andMe accounts for which people had used the same or similar credentials. They were able to access 14,000 individual accounts - and, through those, download information relating to about 6.9m people linked to as possible relations on the site. According to the ICO, this included access to personal data belonging to 155,592 UK residents, such as names, year of birth, geographical information, profile images, race, ethnicity, health reports and family trees. Stolen data did not include DNA records. "As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number," said Mr Edwards.