23andMe fined millions by UK watchdog over 'profoundly damaging' cyber attack

Sky News

4 hours ago

The genetic testing company 23andMe is being fined £2.31m by the UK's privacy watchdog over their 2023 data breach that saw the personal information of seven million people stolen.
More than 150,000 Britons had their personal information taken by hackers. Family trees, health reports, race and ethnicity information may all have been stolen, along with addresses, dates of birth and profile pictures.
A database shared on dark web forums and viewed by Sky News' US partner network, NBC News, contained a list of 999,999 people who allegedly had Ashkenazi Jewish heritage, according to 23andMe's genetic profiling.
"Crazy. This could be used by Nazis," said one person at the time who appeared in the database.
The ICO's fine comes after a joint investigation with Canada's privacy watchdog.
It is the most severe punishment the watchdog can impose and reflects repeated failures to protect extremely sensitive data, according to the information commissioner.
"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK," said John Edwards, the UK's Information Commissioner.
"23andMe failed to take basic steps to protect this information.
"Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm."
Despite the attack starting in April 2023, 23andMe did not open an investigation until October that year, when an employee discovered the stolen data had been advertised for sale on Reddit.
The company's defences only became strong enough to halt the attack by the end of that year - but that was not the end of 23andMe's troubles.
'Sue you to oblivion'
By March this year, the best-known genetic testing company in the world had filed for bankruptcy, unable to rebuild trust after the hack and make enough money from its business model.
It will now be sold for $305m (£225m) to 23andMe's original co-founder, Anne Wojcicki and her non-profit TTAM.
But a blistering exchange in the US Senate last week laid out fresh concerns for the sensitive data users have shared with 23andMe.
Senator Josh Hawley accused Joseph Selsavage, the interim chief executive of 23andMe, of lying to his customers when he says they can delete their genetic data from the company's databases.
"You're not deleting it," he said, "because if you were, your company wouldn't be worth $300m."
"I hope [users] will rush to the courthouse [...] to sue you into oblivion."
Mr Selsavage denied Senator Hawley's claims, saying his company deletes all user data when requested.
James Moss, the director of cyber investigations at law firm Addleshaw Goddard, told Sky News the ICO's fine was "about as serious as it gets" but an enforcement order, a notice from the watchdog that dictates how data can be used in the future, would be "more important".
"That's the notice which looks forward and says, 'look, you have a legal obligation under UK law to continue to protect the personal data of these 150,000 UK citizens'. And that's arguably the more important," he said.
A total of 28 US attorneys general last week launched a legal case against 23andMe to protect user data during the sale, and urged customers to purge their information from the firm's database, given the sensitivity of the data it has collected over the years.
23andMe already sells its users' genetic data and has made at least 30 deals with biotech and pharmaceutical companies like GSK.
A spokesperson for the 23andMe buyer, TTAM, told Sky News the non-profit had made "several binding commitments to enhance protections for customer data and privacy".
These include allowing individuals to delete their account and opt out of research at any time, notifying customers at least two days before the deal closes about what TTAM's acquisition means for them and agreeing, if TTAM were to sell the company again, only to sell it to someone who agrees to adopt TTAM's privacy polices and comply with data laws.
Customers will also be offered two years of free Experian identity theft monitoring, while TTAM will continue to allow "de-identified data" to be used for scientific and biomedical research at universities and nonprofits.
No money for UK victims
The £2.31m fine money will go to the state rather than to individuals affected by the hack.
In the US, victims of the hack won $30m in a class action lawsuit last year, but that's not an option in the UK, despite the incredibly sensitive information that was shared.
Class action lawsuits for data breaches could "improve and increase accountability for data-protection breaches", according to solicitor Alex Lawrence Archer from the data law agency AWO.
"But also help individuals who are affected get something back, help them get redress, because a fine paid to the ICO doesn't achieve that. Although [the fine] is welcome, it doesn't help individuals."
For anyone thinking about using one of the many genetic testing companies that have sprung up since 23andMe was founded in 2006, Mr Lawrence Archer has cautionary advice.
"Handing over your genetic data is a really big step, and it's something that [...] people have hitherto been encouraged to take quite lightly," he said.
"There's no hard and fast rule like you should or you shouldn't do it, but it's something that you should think really carefully about.
"It can be a quite permanent step that's very difficult to undo. It's not something that should be done lightly."