23andMe fined millions by UK watchdog over 'profoundly damaging' cyber attack

The genetic testing company 23andMe is being fined £2.31m by the UK's privacy watchdog over their 2023 data breach that saw the personal information of seven million people stolen.
More than 150,000 Britons had their personal information taken by hackers. Family trees, health reports, race and ethnicity information may all have been stolen, along with addresses, dates of birth and profile pictures.
A database shared on dark web forums and viewed by Sky News' US partner network, NBC News, contained a list of 999,999 people who allegedly had Ashkenazi Jewish heritage, according to 23andMe's genetic profiling.
"Crazy. This could be used by Nazis," said one person at the time who appeared in the database.
The ICO's fine comes after a joint investigation with Canada's privacy watchdog.
It is the most severe punishment the watchdog can impose and reflects repeated failures to protect extremely sensitive data, according to the information commissioner.
"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK," said John Edwards, the UK's Information Commissioner.
"23andMe failed to take basic steps to protect this information.
"Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm."
Despite the attack starting in April 2023, 23andMe did not open an investigation until October that year, when an employee discovered the stolen data had been advertised for sale on Reddit.
The company's defences only became strong enough to halt the attack by the end of that year - but that was not the end of 23andMe's troubles.
'Sue you to oblivion'
By March this year, the best-known genetic testing company in the world had filed for bankruptcy, unable to rebuild trust after the hack and make enough money from its business model.
It will now be sold for $305m (£225m) to 23andMe's original co-founder, Anne Wojcicki and her non-profit TTAM.
But a blistering exchange in the US Senate last week laid out fresh concerns for the sensitive data users have shared with 23andMe.
Senator Josh Hawley accused Joseph Selsavage, the interim chief executive of 23andMe, of lying to his customers when he says they can delete their genetic data from the company's databases.
"You're not deleting it," he said, "because if you were, your company wouldn't be worth $300m."
"I hope [users] will rush to the courthouse [...] to sue you into oblivion."
Mr Selsavage denied Senator Hawley's claims, saying his company deletes all user data when requested.
James Moss, the director of cyber investigations at law firm Addleshaw Goddard, told Sky News the ICO's fine was "about as serious as it gets" but an enforcement order, a notice from the watchdog that dictates how data can be used in the future, would be "more important".
"That's the notice which looks forward and says, 'look, you have a legal obligation under UK law to continue to protect the personal data of these 150,000 UK citizens'. And that's arguably the more important," he said.
A total of 28 US attorneys general last week launched a legal case against 23andMe to protect user data during the sale, and urged customers to purge their information from the firm's database, given the sensitivity of the data it has collected over the years.
23andMe already sells its users' genetic data and has made at least 30 deals with biotech and pharmaceutical companies like GSK.
A spokesperson for the 23andMe buyer, TTAM, told Sky News the non-profit had made "several binding commitments to enhance protections for customer data and privacy".
These include allowing individuals to delete their account and opt out of research at any time, notifying customers at least two days before the deal closes about what TTAM's acquisition means for them and agreeing, if TTAM were to sell the company again, only to sell it to someone who agrees to adopt TTAM's privacy polices and comply with data laws.
Customers will also be offered two years of free Experian identity theft monitoring, while TTAM will continue to allow "de-identified data" to be used for scientific and biomedical research at universities and nonprofits.
No money for UK victims
The £2.31m fine money will go to the state rather than to individuals affected by the hack.
In the US, victims of the hack won $30m in a class action lawsuit last year, but that's not an option in the UK, despite the incredibly sensitive information that was shared.
Class action lawsuits for data breaches could "improve and increase accountability for data-protection breaches", according to solicitor Alex Lawrence Archer from the data law agency AWO.
"But also help individuals who are affected get something back, help them get redress, because a fine paid to the ICO doesn't achieve that. Although [the fine] is welcome, it doesn't help individuals."
For anyone thinking about using one of the many genetic testing companies that have sprung up since 23andMe was founded in 2006, Mr Lawrence Archer has cautionary advice.
"Handing over your genetic data is a really big step, and it's something that [...] people have hitherto been encouraged to take quite lightly," he said.
"There's no hard and fast rule like you should or you shouldn't do it, but it's something that you should think really carefully about.
"It can be a quite permanent step that's very difficult to undo. It's not something that should be done lightly."

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Daily Mail​

30 minutes ago

• Daily Mail​

EXCLUSIVE Revealed: Kenneth Noye's new life. He brutally stabbed two men and stole £26m. Now as he swans around Kent with a much younger lover and plays doting grandfather, friends expose the dark truth

Life, of late, has been undeservedly kind to Kenneth Noye. Despite having a couple of killings under his belt, not to mention a ruthless hand in one of the most lucrative heists in British history, the gangster is a familiar sight on the streets of Sevenoaks, Kent. He is often seen pottering around his local supermarket, clutching an eco-friendly bag for life, nipping into the gym opposite his top-floor flat or simply whizzing around in his Mercedes 4x4. Noye, 78, has been spotted, too, playing the part of doting grandfather alongside other families during sports day at a nearby £30,000-a-year private school.

Daily Mail​

31 minutes ago

• Daily Mail​

GUY ADAMS: Vegan influencer and founder of the hate-filled gossip website Tattle Life Sebastian Bond is said to be lying low in Thailand. Now he's feared to be trying to hide his fortune - as a raft of celebrities on his site line up to sue...

Every notable king has a castle – and, for Sebastian Bond, that fortress is a four-bedroom house lying a stone's throw from Glastonbury 's historic abbey. Security cameras monitor the driveway, which is protected by a set of tall metal gates, and, when the Mail visited this week, the curtains on every single window were firmly drawn.

Auto Car

31 minutes ago

• Auto Car

MWIC Bonus Episode 13: Autocar Meets car designer Julian Thomson, GM Advanced Design Europe

Close Julian Thomson is one of the world's best car designers and if you don't know the name, you'll know his cars. As Lotus's chief designer he designed the Elise and at Jaguar Land Rover created the LRX concept, which went on to become the Range Rover Evoque. But most of Thomson's career has been spent in advanced design and that's where he finds himself now, at General Motors' new advanced design centre Europe. Why does GM need a European design centre and what will it do? Join Steve Cropley and Matt Prior as they put these questions and many more to one of the world's most eminent car designers.