A data violation in 2023 on the DNA test firm 23andme is fined £ 2.31m by UK Watchdog, which affected thousands of people.
The Information Commissioner Office (ICO) said that the company – which has been filed for bankruptcy – failed to take adequate measures to secure sensitive user data before the incident.
Information Commissioner John Edwards said, “It was a deep harmful violation, which exposed sensitive personal information, family history and even health conditions.”
The 23andme is to be sold to a new owner, TTAM Research Institute, stating that it has “made several binding commitments to increase safety for customer data and privacy.”
23andme users are known as “Credit Stuffing” attack in October 2023.
It is observed that hackers use the password exposed in previous violations to reach 23andme accounts, for which people used equal or identical credentials.
They were able to reach 14,000 individual accounts – and, through them, download information related to about 6.9m people connected as possible relationships on the site.
According to ICO, it included access to personal data related to 155,592 UK residents, such as name, year of birth, geographical information, profile picture, breed, ethnicity, health reports and family trees.
The stolen data did not include DNA records.
“As one of the affected people told us: Once this information goes out, it cannot be replaced or made again like a password or credit card number,” said Mr. Edwards.
Due to its more sensitive nature, genetic data is considered a special category data under the UK Data Protection Act and it requires further safety and safety measures.
According to the guidance of the ICO, additional safety measures should be considered to help secure it.
Its investigation – Canada started with the privacy commissioner of Canada In last June – It was found that 23andme violated the UK Data Protection Act due to lack of proper authentication and verification measures for customers during its login process.
This did not include mandatory multi-factor authentication to allow users to log in to verify themselves through additional means or equipment.
The company did not even have safe password requirements or more verification requirements for users trying to download raw genetic data.
Mr. Edwards said that such failures and delays them in solving “left unprotected for exploitation and loss of people’s most sensitive data”.
He said, “Their security system was inadequate, warning signs, and the company was slow to respond,” he said.
The company says it resolved the issues identified during the ICO and office of the Celebration Commissioner (OPC) of Canada by the end of 2024.
Both watchdogs Recently called 23andme For the protection of sensitive personal data of its customers amid its bankruptcy proceedings.
The company was initially designed to sell the biotechnology company Regenron Pharmaceuticals in the $ 256M deal.
But 23andme Said on friday This TTAM Research Institute had agreed to sell its assets-a non-profit biotech organization led by its co-founder and former Chief Executive Anne Wojikki.
This said that the company’s purchase for a new price of $ 305M will come up with binding commitments to maintain existing policies and consumer security, such as customers to remove their accounts, genetic data and exit research.
A bankruptcy court is scheduled to listen to the case for its approval on Wednesday.
