QUICK FACTS
Overview
The UK’s Information Commissioner’s Office (ICO) has issued a penalty notice of £2,310,000 to the consumer genetics company 23andMe, Inc. The fine follows a joint investigation with the Office of the Privacy Commissioner of Canada (OPC) into a major data breach that came to light in October 2023.
The investigation found that, between May 2018 and December 2024, 23andMe failed to implement appropriate technical and organisational measures to protect its customer data. This failure allowed a threat actor to conduct a "credential stuffing" attack over at least five months, gaining access to the accounts of 155,592 UK-based customers.
The compromised data included highly sensitive special category data, such as genetic and health information, as well as data from which racial or ethnic origin could be inferred. The ICO found that 23andMe's security failings were serious and negligent, highlighting the absence of mandatory multi-factor authentication (MFA), inadequate password policies, and a failure to detect and respond to multiple clear indicators of a cyberattack.
The fine was significantly reduced from an initial proposal of £4.59 million after the ICO considered the company's deteriorating financial position, including its filing for Chapter 11 bankruptcy in the US.
Details of the CASE
The Data Breach and Compromised Information
The ICO’s investigation determined that the data breach was a result of a credential stuffing attack, a method where attackers use username and password combinations stolen from other websites to gain access to accounts. The attacker's activity on the 23andMe platform began as early as April 29, 2023.
By compromising an initial set of accounts, the threat actor exploited 23andMe's "DNA Relatives" feature. This feature allows users to see and connect with their genetic relatives on the platform, and by default, it shares profile information. This mechanism magnified the breach's impact significantly. While only 611 UK customer accounts were directly breached through credential stuffing, the attacker was able to scrape the data of thousands more connected via the DNA Relatives feature.
In total, 155,592 UK customers were affected. The exfiltrated data included:
- DNA Relatives profiles of 120,031 UK customers.
- Ancestry Reports of 120,504 UK customers.
- Family Tree profiles of 35,561 UK customers.
- 23andMe generated Health Reports for 320 UK customers.
- Raw Genetic Data was accessed for two UK customers.
The attacker posted this data for sale on online forums, specifically targeting customers based on their racial and ethnic backgrounds.
ICO's Findings of Infringement
The Commissioner found that 23andMe committed serious infringements of UK GDPR Articles 5(1)(f) and 32(1) over a period from 25 May 2018 to 31 December 2024. The key failures included:
- Failure to Mitigate Credential Stuffing Attacks: The ICO ruled that 23andMe failed to implement basic, appropriate measures to defend against this common attack vector. These included:
- No Mandatory Multi-Factor Authentication (MFA): Until November 2023 (after the breach was public), MFA was an optional feature enabled by only 0.2% of its global customer base. The accounts that used MFA or Single Sign-On (SSO) were not compromised, proving its effectiveness.
- Inadequate Password Policies: At the time of the breach, password requirements were weak, with a minimum of only eight characters, no complexity rules, and insufficient checks against common or known compromised passwords.
- Use of Predictable Usernames: The platform used email addresses for login, which are more easily found in breached data lists, rather than allowing for unpredictable usernames.
- Failure to Protect Raw Genetic Data: Despite the extreme sensitivity of Raw Genetic Data, there were no additional authentication or verification steps required to access and download this information once an account was logged into.
- Failure to Test and Evaluate Security: Prior to the breach, 23andMe had never simulated a credential stuffing attack as part of its penetration testing or security exercises , despite it being a well-known cybersecurity risk and the company having experienced isolated credential stuffing incidents in 2019 and 2020.
- Failure to Monitor, Detect, and Respond: 23andMe missed multiple clear warnings of the attack:
- July 2023 Login Spike: The platform experienced over one million successful logins on July 6, 2023, which was an anomaly that was not properly investigated.
- August 2023 Messages: A user named "Anna" sent messages via the customer portal claiming to have stolen data on 10 million users. An internal ticket was raised but quickly closed, with the incident being dismissed as a "hoax" after a limited investigation.
- Ineffective Monitoring: The company’s rate-limiting rules failed to detect the high volume of login attempts because the attacker rotated thousands of IP addresses. Furthermore, a "bug" in its logging system meant that the IP address for Raw Genetic Data downloads was not correctly recorded, hindering the investigation.
fines and Penalties
The ICO concluded that the final penalty of £2,310,000 was effective, proportionate, and dissuasive, reflecting the seriousness of the failings while accounting for the company's current financial hardship
Key quotes
- On Prioritising Convenience Over Security: "23andMe decided to make MFA optional to ensure that customers could easily access their accounts." The Commissioner found this prioritised "customer convenience and ease of use of the Platform over the security of customer accounts, which the Commissioner finds is not compliant with the company's obligations... particularly when taking into account the sensitivity of the personal data accessible via customer accounts."
- On Dismissing Early Warnings: Following messages in August 2023 claiming a massive data theft, a security ticket was raised but ultimately "closed by the Cyber Incident Response Team on the basis that it, 'looks to have been a hoax.'"
- On User Consent and Expectation of Security: "The Commissioner considers that there is a significant difference between 23andMe customers voluntarily electing to share their personal data with other customers in what they believed to be the secure environment of the Platform and that personal data being accessible to a maliciously motivated threat actor and subsequently posted on open forums on the internet."
Sources:
