The UK Info Commissioner’s Workplace (ICO) has fined genetic testing supplier 23andMe £2.31 million ($3.12 million) over ‘critical safety failings’ that led to a ‘profoundly damaging’ information breach in 2023.
The information safety watchdog mentioned right this moment that 23andMe failed to guard the delicate information of UK residents who had their genotype information, well being reviews, and private info stolen in credential stuffing assaults utilizing stolen login credentials that went unnoticed for 5 months between April 2023 and September 2023.
“This was a profoundly damaging breach that uncovered delicate private info, household histories, and even well being circumstances of 1000’s of individuals within the UK,” mentioned John Edwards, UK’s Info Commissioner. “As a type of impacted instructed us: as soon as this info is on the market, it can’t be modified or reissued like a password or bank card quantity.”
Because the genomics firm disclosed in information breach notification letters despatched to impacted people, a few of this extraordinarily delicate stolen information was launched on the unofficial 23andMe subreddit web site and the BreachForums hacking discussion board.
The leaked info included the info of 4.1 million individuals residing in the UK and Germany, in addition to that of 1 million Ashkenazi Jews.
After discovering this in depth breach, 23andMe applied measures to dam related incidents, together with enabling two-factor authentication by default and requiring clients to reset passwords.
“As a part of our regulatory course of, we took into consideration representations from 23andMe, earlier than deciding on whether or not to impose a monetary penalty, and the ultimate quantity of the penalty,” an ICO spokesperson instructed BleepingComputer when requested how the advantageous quantity was calculated.
“The quantity of this advantageous has been set in accordance with our Knowledge Safety Fining Steerage | ICO. This particular part of the fining steering particulars the utmost quantity we might advantageous an organization.”
This advantageous comes after the California-based genetic testing supplier filed for Chapter 11 chapter in late March and introduced that it plans to promote its property following a number of years of monetary struggles.
The 2023 information breach has led to a number of class-action lawsuits, which prompted 23andMe to amend its Phrases of Use in November 2023 to make it tougher to get sued. Nonetheless, the corporate claimed the adjustments solely aimed to simplify the arbitration course of.
In September 2024, the DNA testing big agreed to pay $30 million to settle a lawsuit over the 2023 information breach that had uncovered the info of 6.4 million clients worldwide.
Patching used to imply advanced scripts, lengthy hours, and limitless hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch sooner, cut back overhead, and deal with strategic work — no advanced scripts required.
