The UK’s data protection watchdog has imposed a £2.31 million (approx. ₹24 crore) fine on genetic testing firm 23andMe following what it described as a “profoundly damaging” cyberattack that compromised highly sensitive genetic and personal data of over 155,000 UK residents.
The Information Commissioner’s Office (ICO) found 23andMe guilty of serious security lapses, including the absence of multi-factor authentication, weak password protocols, and failure to monitor cyber threats, allowing attackers to gain unauthorized access during two waves of credential stuffing attacks in 2023.
Sensitive Genetic Profiles Leaked Amid Security Failures
The breach, occurring between April and September 2023, exposed names, birth years, addresses, profile pictures, ethnicity, family trees, and health reports. According to the ICO, 23andMe did not require users to undergo verification when downloading raw genetic data, leaving critical information “vulnerable to exploitation and harm.”
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
The firm reportedly delayed investigating the breach until October 2023, when stolen genetic data was found advertised on Reddit months after the first signs of compromise were detected.
International Investigation and Bankruptcy Auction Follow Fallout
The fine stems from a joint investigation by the UK ICO and Canada’s Privacy Commissioner. Canada echoed concerns over the company’s negligence, emphasizing the increasing threat posed by sophisticated cyberattacks and poor corporate cyber hygiene.
In the wake of the breach and mounting financial losses, 23andMe filed for bankruptcy protection in the U.S. in March. The company is now poised for acquisition by a nonprofit led by co-founder Anne Wojcicki, whose $305 million bid topped rival Regeneron Pharmaceuticals.
Wojcicki recently testified before U.S. lawmakers on Capitol Hill regarding concerns over the future ownership and control of vast genetic databases held by the firm.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Experts Warn of Long-Term Risk to Users
The ICO received several complaints from customers worried about potential misuse of their DNA data, including surveillance, financial fraud, and discrimination.
Information Commissioner John Edwards said:
“This was a profoundly damaging breach that exposed people’s health and family history. Once this kind of data is leaked, it can’t be changed or reissued like a password or credit card.”
Privacy experts are urging 23andMe users to log in and delete their data, warning that third-party sales could further compromise personal safety.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.