Gene data: British data protection fine for 23andme

“23andme failed to put in place basic measures to protect personal data,” said John Edwards, head of the UK's data protection authority, in a letter to the US genetic analysis company, “Their security systems were inadequate, the warning signs were there, and the company was slow to react.” The result is well known: Almost seven million data records from customers 23andmes ended up in the wrong hands and for sale on the dark net in 2023. Edward's authority is now imposing a fine of the equivalent of a good 2.7 million euros on the gene company.

The investigation on which the fine is based was the joint work of the British and Canadian federal data protection authorities. The latter, much to the continuing annoyance of its head Philippe Dufresne, is not allowed to impose penalties, but must limit itself to stating that 23andme has violated Canadian data protection law. Around 320,000 Canadians and around 150,000 Britons are likely to have been affected by the illegal disclosure.

The attacker's method was banal: Credential stuffing. This involves trying out logins and passwords that have been disclosed during intrusions into other services. If the user has used the same combination and there is no multifactor authentication, the attacker can log in. This was successful for over 18,000 accounts at 23andme in 2023. Many 23andme customers have activated the option to share their data with relatives in their accounts. The attacker was therefore able to access the data of almost seven million people via over 18,000 accounts.

Unaware for five months

For five months, from the end of April 2023, the perpetrator could try out one password after another undisturbed. According to the Canadian and British authorities, 23andme had ineffective detection systems and inadequate logging and monitoring. In addition, the investigation of anomalies was inadequate, otherwise 23andme would have detected the incidents months earlier than in October 2023.

Added to this is insufficient prevention. The two authorities criticize the fact that 23andme did not have mandatory multifactor authentication (MFA), that it did not check whether customers were reusing compromised passwords elsewhere, that there was no additional verification when requesting the raw gene data, and that the password rules were too lax: 23andme prescribed at least eight-digit passwords with “minimal complexity rules”; a guideline from the UK data protection authority ICO (Information Commissioner's Office) recommends at least ten-digit passwords without forcing the use of special characters and without length restrictions.

Even when 23andme detected the unauthorized access, it did not react as the data protection authorities would like. It took four days for the company to reset all passwords and close ongoing sessions. It even took a month for mandatory MFA and additional protection of raw data to be introduced. To make matters worse, the company's legally required notifications to the UK and Canadian data protection authorities were incomplete.

Wojcicki back at the helm after insolvency

A few months after the incident, 23andme filed for insolvency. It is therefore not certain that the British fine will be paid in the amount stipulated. The company could also take legal action.

23andme was founded in 2006, went public in 2021, but has never made a profit. After some back and forth in the insolvency proceedings, co-founder Anne Wojcicki is likely to acquire the bankruptcy estate of 23andme through her research company TTAM. TTAM has offered 305 million US dollars, more than the pharmaceutical company Regeneron. Wojcicki was married to Google co-founder Sergey Brin until 2015 and is the youngest sister of Susan Wojcicki, Google's first head of marketing and long-time head of YouTube, who died of lung cancer in August.

• The complete Penalty Notice of the British ICO against 23andme

(ds)