- The ICO issued 23 and 23 and a fine of 2.31 million pounds sterling ($ 3.1 million)
- Fine is a punishment for failures after the data violation in 2023
- An investigation revealed “serious security failures”
The Watchdog of British data protection, the Office of the Information Commissioner (ICO) issued a fine of 2.31 million pounds Sterling at 23andm to “do not implement appropriate security measures to protect personal information from British users”
This follows a 2023 cyber attack in which the pirates accessed 23 and personal user data.
The breach only affected 0.1% of the company’s customers, around 14,000 people, but thanks to the sensitive nature of the information that 23andm has, the hackers were able to access “a significant number of files containing profile information on the ancestry of other users that these users have chosen to share”.
Keep up
The joint investigation, carried out between ICO and the Canadian Commissioner on Privacy, revealed “serious security failures” after the violation, calling the actions of 23 and “inadequate”.
After the pirates carried out their attacking diploma attack, the company waited for months before starting a full investigation, confirming that the violation after an employee discovered stolen data announced for sale on Reddit.
This violation put people affected in danger, not only for typical flight and identity fraud, but also for seriously sophisticated social engineering attacks. If your genetic or family history are sold to a criminal, it could be exploited against you.
“It was a deeply damaging violation that exposed sensitive personal information, family history and even health conditions of thousands of people in the United Kingdom,” said John Edwards, commissioner in the United Kingdom.
“As one of those affected told us: once this information is available, they cannot be modified or reissued as a password or a credit card number.”
An example of this could be a “family member” who tries the hand and asking for more information on yourself, or a “medical enterprise” contacting you about an existing genetic health. If you are affected by this breach, make sure you are very vigilant and cautious about all the unexpected communications you receive.
“23andme failed to take basic measures to protect this information. Their security systems were inadequate, the warning panels were there and the company was slow.
We contacted 23andme, and a spokesperson provided us with a declaration which confirmed that in the context of “within the framework of its agreement to acquire 23andme, the TTAM Research Institute made several binding commitments to improve protections for customer data and confidentiality”.
This includes, but without limiting yourself; “Allow individuals to delete their account and withdraw from research at any time; inform customers by e-mail at least 2 days before closing the acquisition on details on the role of TTAM, their commitment to confidentiality choices and instructions on how to delete data or withdraw research;
