In October 2023, the genetics company 23andMe made headlines for a significant data breach. The incident saw the personal data of millions of users compromised, including thousands in the UK. This event has understandably caused widespread concern, particularly for those who entrusted the company with their most sensitive genetic information.
For small business owners, freelancers, and marketers in the UK, this incident serves as a crucial lesson in data protection. It highlights the serious responsibilities that come with handling personal information and the severe consequences of getting it wrong. The UK’s data protection regulator, the Information Commissioner’s Office (ICO), conducted a thorough investigation and has now published its findings.
This article will break down the ICO’s report on the 23andMe Data Breach. We will explain what happened, what the company did wrong according to the regulator, and what the key takeaways are for your own business. Our goal is to demystify the complexities of UK GDPR, remove the fear of non-compliance, and provide you with practical, reassuring guidance to protect the data you handle.
What is UK GDPR and Why Does it Matter?
Before we delve into the specifics of the 23andMe case, let’s briefly touch upon the law that governs data protection in the UK. The UK General Data Protection Regulation (UK GDPR), alongside the Data Protection Act 2018, sets out the rules for how organisations must handle personal data.
Think of it as a framework built on principles. These principles are designed to ensure that data is used fairly, lawfully, and transparently. A core part of this is the ‘integrity and confidentiality’ principle, which requires organisations to keep personal data safe and secure. This is a central theme in the ICO’s findings against 23andMe.
Failure to comply with UK GDPR can lead to significant penalties. In this case, the ICO fined 23andMe £2,310,000 for serious security failings. This underscores how seriously the regulator takes the protection of personal data, especially when that data is highly sensitive.
The 23andMe Data Breach Explained
The breach was a result of a cyber-attack known as “credential stuffing.” This is not a complex hack in the traditional sense. Instead, it exploits a common human behaviour: reusing passwords across different websites.
What is Credential Stuffing?
Imagine a burglar gets a key to your old flat. If you use the same key for your new house, your new car, and your office, that burglar can now access all those places.
Credential stuffing works in a similar way. Attackers obtain lists of usernames (often email addresses) and passwords from previous data breaches on other websites. They then use automated software to “stuff” these credentials into the login pages of many different sites, like 23andMe. If a user has reused their password, the attacker gains access.
In 23andMe’s case, a threat actor used this method over several months to access customer accounts. Because of how 23andMe’s platform was designed, this initial access had a domino effect.
The Domino Effect: How One Breach Led to Millions
A key feature of 23andMe’s service is “DNA Relatives,” which allows users to connect with genetic relatives. When users opt-in, they share certain profile information with their matches.
The attacker, having gained access to a small number of accounts via credential stuffing, was then able to “scrape” (or copy) the data of the thousands of DNA Relatives connected to those accounts. This massively amplified the scale of the breach. In total, the personal data of 155,592 UK customers was accessed.
This exposed data included names, birth years, and geographical locations. Crucially, because the data was related to genetic ancestry, it was also possible to infer users’ racial or ethnic origins, including whether they were of Ashkenazi Jewish or Chinese descent. The attackers specifically offered this targeted data for sale on online forums.
Where 23andMe Went Wrong: The ICO’s Findings
The ICO’s investigation identified several serious failures by 23andMe. These were not minor oversights; they were fundamental breaches of UK GDPR principles that lasted for years—from May 2018 until the end of 2024.
The ICO found that 23andMe failed to implement “appropriate technical and organisational measures to ensure… security appropriate to the risk.” This is a requirement under Article 32 of the UK GDPR. Given the highly sensitive nature of the genetic data it held, 23andMe was expected to have exceptionally robust security.
Here are the key failures highlighted by the regulator:
1. Lack of Multi-Factor Authentication (MFA)
This was perhaps the most critical failure. Multi-factor authentication adds a second layer of security to the login process. It’s like needing both a key and a PIN code to open a door. Even if an attacker has your password, they cannot get in without the second factor (e.g., a code sent to your phone).
The NCSC and the ICO both recommend MFA as one of the most effective ways to protect against attacks like credential stuffing. While 23andMe offered MFA as an
optional feature, it was not mandatory. The company argued that making it compulsory might make the service harder for some customers to use.
The ICO rejected this, stating that 23andMe had prioritised customer convenience over the security of highly sensitive data. Tellingly, of the accounts that
did have MFA enabled, none were compromised in the attack.
Lesson for Small Businesses: If you offer online accounts, especially where sensitive information is stored, you must consider making MFA mandatory. The potential inconvenience is minor compared to the protection it offers.
2. Weak Password Policies
23andMe’s password rules were not strong enough. At the time of the breach, the company:
- Only required a minimum of eight characters.
- Did not have complexity requirements (e.g., a mix of letters, numbers, and symbols).
- Did not adequately check for weak or commonly used passwords against a comprehensive “deny list.”
- Allowed users to reuse old passwords until August 2023.
The ICO pointed out that while 23andMe warned customers about reusing passwords, these warnings were buried in help pages and not shown during the password creation process.
Lesson for Small Businesses: Implement a strong password policy. Guide your users to create secure passwords. Use available tools to block common and previously breached passwords. The NCSC provides excellent, free guidance on this.
3. Failure to Test for Common Threats
UK GDPR requires organisations to regularly test and evaluate their security measures. 23andMe conducted security tests, but shockingly, none of them ever simulated a credential stuffing attack.
This is despite credential stuffing being a widely known and common threat to online services for many years. The company itself had even experienced minor credential stuffing incidents in 2019 and 2020, but failed to detect them at the time and learn from them.
Lesson for Small Businesses: You must be aware of the common cyber threats relevant to your business. Regularly test your defences against them. This doesn’t have to be expensive; even simple reviews and “what if” scenarios can highlight weaknesses.
4. Inadequate Monitoring and Response
The ICO found that 23andMe missed multiple opportunities to detect the breach earlier. For months, attackers made hundreds of thousands of login attempts, yet the company’s systems failed to flag this anomalous activity.
- July 2023 Login Spike: The platform was temporarily rendered inoperable by over one million successful logins in a single day, which should have been a major red flag.
- August 2023 Messages: An individual contacted 23andMe directly, claiming to have stolen data from 10 million customers. The company’s internal security team dismissed this as a “hoax” after a very limited investigation.
These incidents were treated in isolation, and no one connected the dots. This failure to investigate clear warning signs allowed the breach to continue for several more months, maximising the harm to customers.
Lesson for Small Businesses: Have a clear process for monitoring your systems and responding to security alerts. Take all threats seriously, even if they seem far-fetched. A prompt and thorough investigation can be the difference between a minor incident and a major crisis.
UK GDPR Compliance Checklist: Lessons from the 23andMe Data Breach
This case provides a valuable learning opportunity. Use this checklist to review your own data protection practices.
- ☐ Understand Your Data: Do you know what personal data you hold? Is any of it “special category data” (like health, race, or genetic information)? Special category data requires a higher level of protection.
- ☐ Strengthen Your Logins:
- Have you made Multi-Factor Authentication (MFA) mandatory for all user accounts?
- Do you have a strong password policy? (Consult NCSC guidance).
- Do you prevent the use of common or breached passwords?
- ☐ Secure Your Website:
- Do you regularly test for common vulnerabilities?
- Do you have a process to monitor for suspicious login activity (e.g., high rates of failed logins)?
- ☐ Create a Response Plan:
- Do you have a clear plan for what to do if you suspect a data breach?
- Who is responsible for investigating?
- Do you know when and how to report a breach to the ICO? (Generally within 72 hours of becoming aware of it).
- ☐ Review Your Privacy Notice: Is your privacy notice clear and transparent? Does it explain what data you collect, why you collect it, and how you protect it?
- ☐ Train Your Staff: Does everyone in your business understand their data protection responsibilities?
Frequently Asked Questions (FAQs)
Q: I’m just a freelancer with a small blog. Does UK GDPR even apply to me? A: Yes. If you collect any personal data from individuals in the UK (for example, through a contact form, comments section, or newsletter sign-up), UK GDPR applies to you. The principles of security and accountability are universal, regardless of your size.
Q: I don’t handle genetic data. Are the lessons from the 23andMe data breach still relevant? A: Absolutely. While the data was exceptionally sensitive, the security failings were fundamental. Credential stuffing can be used against any service with a login portal, whether it’s an e-commerce store, a client portal, or a membership site. The principles of mandatory MFA and strong password policies are relevant to everyone.
Q: How much does it cost to implement these security measures? A: The cost varies, but many essential measures are low-cost or free. The NCSC provides free guidance and tools. Many website platforms and plugins offer MFA and password-checking capabilities as standard. The cost of a breach—both in fines and reputational damage—is almost always far greater than the cost of prevention.
Q: I received an email from a company about a data breach. What should I do? A: The ICO and NCSC have excellent guidance for individuals. The first steps are usually to change your password on that site immediately. If you have reused that password anywhere else, change it on those sites too. Enable MFA wherever it is offered. Be vigilant for phishing emails that might try to trick you into revealing more information.
This case is a stark reminder that data protection is not just a box-ticking exercise. It is a fundamental duty of care owed to the people whose data you hold. The customers of 23andMe felt “violated,” “anxious,” and “disgusted” by the breach. As one affected user told the ICO, “unlike usernames, passwords and e-mail addresses, you can’t change your genetic makeup when a data breach occurs.”
By understanding the mistakes made by 23andMe, you can take positive and practical steps to strengthen your own security. Building trust with your customers starts with respecting their data. By embedding good data protection practices into your operations, you not only comply with the law but also build a more resilient and reputable business.