The UK Info Commissioner’s Workplace (ICO) has fined genetic testing supplier 23andMe £2.31 million ($3.12 million) over ‘critical security failings’ that led to a ‘profoundly damaging’ data breach in 2023.
The info safety watchdog mentioned immediately that 23andMe failed to guard the delicate knowledge of UK residents who had their genotype knowledge, well being reviews, and private info stolen in credential stuffing assaults utilizing stolen login credentials that went unnoticed for 5 months between April 2023 and September 2023.
“This was a profoundly damaging breach that uncovered delicate private info, household histories, and even well being situations of hundreds of individuals within the UK,” mentioned John Edwards, UK’s Info Commissioner. “As a type of impacted advised us: as soon as this info is on the market, it can’t be modified or reissued like a password or bank card quantity.”
Because the genomics firm disclosed in data breach notification letters despatched to impacted people, a few of this extraordinarily delicate stolen knowledge was launched on the unofficial 23andMe subreddit web site and the BreachForums hacking discussion board.
The leaked info included the information of 4.1 million folks residing in the UK and Germany, in addition to that of 1 million Ashkenazi Jews.
After discovering this in depth breach, 23andMe applied measures to dam comparable incidents, together with enabling two-factor authentication by default and requiring prospects to reset passwords.
“As a part of our regulatory course of, we took into consideration representations from 23andMe, earlier than deciding on whether or not to impose a monetary penalty, and the ultimate quantity of the penalty,” an ICO spokesperson advised BleepingComputer when requested how the nice quantity was calculated.
“The quantity of this nice has been set in accordance with our Data Safety Fining Steering | ICO. This particular part of the fining steering particulars the utmost quantity we might nice an organization.”
This nice comes after the California-based genetic testing supplier filed for Chapter 11 chapter in late March and introduced that it plans to promote its belongings following a number of years of monetary struggles.
The 2023 data breach has led to a number of class-action lawsuits, which prompted 23andMe to amend its Phrases of Use in November 2023 to make it more durable to get sued. Nevertheless, the corporate claimed the modifications solely aimed to simplify the arbitration course of.
In September 2024, the DNA testing big agreed to pay $30 million to settle a lawsuit over the 2023 data breach that had uncovered the information of 6.4 million prospects worldwide.
Patching used to imply complicated scripts, lengthy hours, and countless fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch sooner, scale back overhead, and give attention to strategic work — no complicated scripts required.
