The UK’s data watchdog is fining beleaguered DNA testing outfit 23andMe £2.31 million ($3.13 million) over its 2023 mega breach.
Among the various security failings demonstrated by the genetics company were:
- Unsatisfactory authentication measures, including lack of mandatory MFA and unsecure password requirements
- No measures taken to prevent accessing and downloading raw genetic data
- No measures to adequately monitor, detect, or respond to security threats to user data
The announcement comes a year after the Information Commissioner’s Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) teamed up to investigate 23andMe and the failures that led to attackers compromising nearly 7 million users’ data.
John Edwards, the UK’s Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us, once this information is out there, it cannot be changed or reissued like a password or credit card number.
“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
The ICO went on to note the five-month gap between the attacker’s credential-stuffing activity, which began in April 2023, and 23andMe finally acknowledging the attack publicly in October that year.
It said 23andMe “missed many opportunities to act” during this time and only did so after the stolen data was put up for sale on Reddit.
[…]
Source: UK data watchdog fines 23andMe £2.3M over 2023 breach • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft