The UK's Information Commissioner's Office has fined 23andMe £2.31 million following a major data breach in 2023, which affected nearly 7 million users. The breach was attributed to the company's lack of adequate security measures, including insufficient authentication protocols and failure to monitor security threats effectively. Information Commissioner John Edwards noted the severe impact on individuals whose sensitive information was exposed and criticized 23andMe for its delayed response to the breach. The company took significant time to address security vulnerabilities that facilitated the attack.
This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us, once this information is out there, it cannot be changed or reissued like a password or credit card number.
23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.
The ICO noted that 23andMe missed many opportunities to act during the five-month gap between the attacker's credential-stuffing activity and the public acknowledgment of the attack.
Collection
[
|
...
]