DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack | ডিএনএ টেস্টিং ফার্ম 23 ওএমই 2023 ডেটা হ্যাকের জন্য ইউকে নিয়ন্ত্রক দ্বারা £ 2.3m জরিমানা করেছে
Information stolen from US company included details of 150,000 British residents including family trees
The genetic testing company 23andMe has been fined more than £2.3m for failing to protect the personal information of more than 150,000 UK residents after a large-scale cyberattack in 2023.
Everything You Need to Know About Testing Firm
Family trees, health reports, names and postcodes were among the sensitive data hacked from the California-based company. It only confirmed the breach months after the infiltration started and once an employee saw the stolen data advertised for sale on the social media platform Reddit, according to the UK Information Commissioner’s Office – which levied the fine.
The information commissioner, John Edwards, called the months-long incident across the summer of 2023 a “profoundly damaging breach”. The compromise of UK data was just a fraction of the wider losses, with the data of 7 million people affected.
23andMe charges users £89 to have their DNA screened using a saliva-based kit, allowing them to discover where their distant ancestors came from in terms of their ethnicity and location. But many customers asked for their DNA data to be deleted from the company’s archives after the hack and it filed for bankruptcy protection in the US in March.
The fine came as a $305m bid to buy the company led by its former chief executive, Anne Wojcicki, looked poised to retake control of the company in a bankruptcy auction.
Edwards said the data breach “exposed sensitive personal information, family histories and even health conditions of thousands of people in the UK”.
Key Insights on 23andme
“As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number,” he said.
23andMe failed to take basic steps to protect the information and their security systems were inadequate, the UK data protection regulator found. The breaches included failing to install tougher user authentication.
The hacker exploited a common weakness caused by users reusing passwords that had already been stolen in other unrelated data breaches. Hackers then used automated tools to try these passwords in a tactic called “credential stuffing”.
Advanced Analysis of Fined
“The warning signs were there, and the company was slow to respond,” said Edwards, who carried out the investigation jointly with the privacy commissioner of Canada. “This left people’s most sensitive data vulnerable to exploitation and harm.”
A spokesperson for the company said 23andMe had since implemented multiple steps to increase security to protect individual accounts and information. They said that as part of the deal to acquire 23andMe, Wojcicki’s non-profit, the TTAM Research Institute, has made “binding commitments to enhance protections for customer data and privacy, including allowing individuals to delete their account and opt out of research at any time” and “agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control”, and offering customers two years of free identity theft monitoring.
The fine is among several multimillion pound punishments meted out by the ICO in recent years for failure to protect data from hacks and ransomware attacks. In 2022, it fined the construction company Interserve £4.4m when staff data was compromised, including contact details, bank accounts, sexual orientation and health.
In March this year it fined an NHS IT supplier, Advanced Computer Software Group, nearly £3.1m for security failings that put the personal information of nearly 80,000 people at risk.
For more information on technology news and updates, check out our Technology section.
Stay Updated with Latest Tech News
Subscribe to our newsletter to receive the latest updates on testing, firm, 23andme, fined, £2.3m and other technology trends.
Source: The Guardian
Author: Robert Booth UK technology editor
Publication Date: 2025-06-17T13:45:45Z
Category: Technology
Hello, my name is Jack Sparrow. I'm a 50 year old self-employed Pirate from the Caribbean.
No comments:
Post a Comment