The ICO has imposed a fine of £2.31 million on 23andMe due to a cyber attack that exposed personal data of 155,592 UK residents. This attack, termed a credential stuffing incident, revealed sensitive information such as names, birth years, and health reports. The company's response was criticized as it suggested users bore responsibility for failing to secure their passwords. The ICO criticized 23andMe for insufficient security measures and slow responses, highlighting the serious consequences of exposing such sensitive information without adequate protection.
23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond.
This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK.
Collection
[
|
...
]