Are you a client?
Sign in to view the full news archive.
Yesterday, the ICO announced a substantial penalty against genetics firm 23andMe signalling a toughening regulatory stance on genetic data security, with implications extending far beyond the direct-to-consumer testing sector. The fine may well represent a watershed moment for biometric data protection in the UK market.
San Francisco HQ’ed 23andMe was founded way back in 2006 and is one of many firms providing genetic testing services. For services ranging in cost from £99 and up, customers can send a saliva sample to its labs and get back an ancestry and genetic predispositions report. We initially covered the data breach back in October 2023 when it was made public (see Even your DNA is not safe to hackers). The breach timeline reveals catastrophic security governance failures. Despite clear warning signs from April 2023 - including over one million login attempts in a single day causing platform outages - 23andMe failed to initiate a proper investigation until October when stolen data surfaced on Reddit. This six-month delay demonstrates fundamental inadequacy in threat detection and incident response processes.
The joint investigation with Canada's Privacy Commissioner establishes a template for cross-border enforcement against global data controllers. This coordinated approach significantly amplifies regulatory reach and penalty exposure for multinational operators. The ruling also creates immediate compliance issues across the broader health tech ecosystem. Key requirements now include mandatory multi-factor authentication for sensitive data access, enhanced credential monitoring, and proactive threat detection systems. The emphasis on "unpredictable usernames" introduces novel security obligations that many platforms currently lack.
Organisations handling biometric or genetic data face elevated regulatory scrutiny and potential penalty exposure. The ICO's focus on "basic steps" suggests even established security practices may be insufficient. Companies will have to reassess authentication protocols and incident response capabilities to avoid similar enforcement action in an increasingly unforgiving regulatory environment.
Things could have been even worse for 23andMe. The original proposed penalty was £4,593,750 but was reduced to £2,310,000 due to 23andMe's deteriorating financial position. 23andMe's holding Co. filed for Chapter 11 bankruptcy on March 23rd, with substantial doubt about continuing as a going concern. The company had an accumulated deficit of $2.4bn as of December 31st, 2024.
Posted by: Marc Hardwick at 09:08
Tags:
cybersecurity