Analysis

The UK's Information Commissioner's Office (ICO) has imposed a £2.31 million fine on DNA testing firm 23andMe, which has since filed for bankruptcy, for a significant data breach in October 2023. The ICO determined that 23andMe failed to implement adequate security measures, specifically citing the absence of mandatory multi-factor authentication and secure password requirements, rendering sensitive user data vulnerable. This lapse facilitated a "credential stuffing" attack, compromising 14,000 individual accounts and enabling access to personal data of approximately 6.9 million individuals, including 155,592 UK residents. The exposed data encompassed names, birth years, geographical information, profile images, race, ethnicity, health reports, and family trees, although DNA records were not breached. The ICO characterized the breach as "profoundly damaging" due to the sensitive nature of the information. Concurrent with these regulatory actions, 23andMe is set to be acquired out of bankruptcy by TTAM Research Institute, a non-profit organization led by its co-founder Anne Wojcicki, for $305 million. This revised deal, surpassing a previous $256 million bid from Regeneron Pharmaceuticals, includes binding commitments from TTAM to enhance data protection and uphold existing consumer rights, such as data deletion and research opt-outs. 23andMe claims to have resolved the identified security issues by the end of 2024, following investigations by both UK and Canadian privacy commissioners. The overall sentiment surrounding these events is strongly negative, reflecting the severity of the breach and the company's financial distress.