- The ICO has issued 23 to me with a fine of £ 2.31 million ($ 3.1 million)
- The fine is punishment for failures after 2023 data violation
- An investigation found ‘serious security failures’
The British Data Protection Watchdog, the Office of the Information Commissioner (ICO) has issued a fine of £ 2.31 million to 23andme for “not to implement the appropriate security measures to protect the personal information of the United Kingdom users”
This follows a 2023 cyber attack in which the computer pirates accessed the data of personal users 23Andme.
The violation only affected 0.1% of the company’s customer base, approximately 14,000 people, but thanks to the confidential nature of the information that 23Andme contains, the computer pirates could access “a significant number of files that contained profile information about the ancestry of other users who said users chose to share.”
Stay safe
The joint investigation, carried out between the ICO and the Canadian privacy commissioner, revealed “serious security failures” after the violation, calling the “inadequate” actions.
After the computer pirates carried out their credential filling attack, the company waited for months until a complete investigation began, just confirming the rape after an employee discovered stolen data announced for sale in Reddit.
This violation put those affected at risk, not only because of the typical identity and fraud theft, but also for seriously sophisticated social engineering attacks. If your genetic or family history is sold to a criminal, you could take advantage of you.
“This was a deeply harmful rape that presented confidential personal information, family stories and even health conditions of thousands of people in the United Kingdom,” confirmed John Edwards, information commissioner of the United Kingdom.
“As one of the impacted told us: once this information is available, it cannot be changed or re -issued as a password or credit card number.”
An example of this could be a “family member” communicate and ask for more information about you, or a “medical company” that communicates with you about an existing genetic health condition. If you are affected by this violation, be sure to be more attentive and cautious about any unexpected communication you receive.
“23 Andme could not take basic measures to protect this information. Its security systems were inappropriate, the warning signals were there and the company took to respond. This left the most sensitive data of people vulnerable to exploitation and damage,” Edwards confirmed.
We communicated with 23Andme, and a spokesman provided us with a statement that confirmed that as part of “as part of his agreement to acquire 23Andme, Tam Research Institute made several binding commitments to improve protections for data and client’s privacy.”
This includes, but is not limited to; “Allow people to eliminate their account and choose not to participate at any time; notify customers by email at least 2 days before the closing of the acquisition of the details about the role of TTAM, their commitment to the privacy options and the instructions on how to eliminate the data or choose not to participate in the investigation; agreeing not to sell or transfer genetic data under a subsequent bank or change of control to any entity that is not the investigation of all the investigation.
