The UK data regulator’s £2.31m fine issued to gene testing company 23andMe has been described by one industry commentator as “substantial but justified” due to the firm’s breach of “the most basic security practices”.
This week, the Information Commissioner’s Office (ICO) issued 23andMe, known for its popular personal DNA history tests, a fine for failing to implement appropriate security measures to protect the personal information of UK users.
The concerns from the watchdog followed a high-profile cyber-attack against the company in 2023 that saw criminals steal the profiles and ethnic information of millions of primarily Ashkenazi Jewish users.
More than 150,000 UK residents were among those whose genetic data was breached, with information including names, birth years, postcodes, health reports and ethnic background data accessed.
The UK Information Commissioner John Edwards described the breach as “profoundly damaging” and that the company has since “failed to take basic steps to protect this information”.
“[23andMe’s] security systems were inadequate; the warning signs were there but the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm,” Edwards said.
Max Vetter, vice president of cyber at Immersive Labs, said the “majority of breaches happen because the most simple and basic security practices are not followed”.
“The ICO’s fine is substantial; however, it is justified. When an organisation is responsible for such personal and sensitive data, the security basics cannot be ignored.” he added.
“There is no excuse for any business that does not have multi-factor authentication implemented and enforced, uses weak passwords, or neglects to patch known vulnerabilities.
“Hygiene fundamentals should form the absolute baseline of any cybersecurity strategy.”
For Trevor Dearing, director of critical infrastructure at Illumio, the fine was a welcome update.
“It is good to see companies being forced to payout when they fail to secure personal data,” Dearing commented.
“The human impact of the breach is significant, aside from the immediate distress to the victims, there is also the risk of the data being mishandled for further harm.”
He noted the most concerning aspect of the situation is that according to the ICO’s report of the 23andMe attack, breaches such as these are done with the “same tried-and-tested techniques” bad actors have been using for years.
“Strong passwords and multi-factor authentication are the basics that should have already been mastered, but instead often remain ignored,” Dearing added.
The post Industry reacts to 23andMe’s regulatory fine appeared first on UKTN.
