Lessons from the 23andMe Data Breach: A UK GDPR Guide...

UK GDPR lessons from the ICO's report on the 23andMe Data Breach. A guide for UK small businesses on compliance and protecting data.

· Business & Compliance

In October 2023, the genetics company 23andMe made headlines for a significant data breach. The incident saw the personal data of millions of users compromised, including thousands in the UK. This event has understandably caused widespread concern, particularly for those who entrusted the company with their most sensitive genetic information.

For small business owners, freelancers, and marketers in the UK, this incident serves as a crucial lesson in data protection. It highlights the serious responsibilities that come with handling personal information and the severe consequences of getting it wrong. The UK's data protection regulator, the Information Commissioner's Office (ICO), conducted a thorough investigation and has now published its findings.

This article will break down the ICO's report on the 23andMe Data Breach. We will explain what happened, what the company did wrong according to the regulator, and what the key takeaways are for your own business. Our goal is to demystify the complexities of UK GDPR, remove the fear of non-compliance, and provide you with practical, reassuring guidance to protect the data you handle.

What is UK GDPR and Why Does it Matter?

The UK General Data Protection Regulation (UK GDPR), alongside the Data Protection Act 2018, sets out the rules for how organisations must handle personal data. Think of it as a framework built on principles designed to ensure that data is used fairly, lawfully, and transparently. A core part of this is the 'integrity and confidentiality' principle, which requires organisations to keep personal data safe and secure.

Failure to comply with UK GDPR can lead to significant penalties. In this case, the ICO fined 23andMe £2,310,000 for serious security failings. This underscores how seriously the regulator takes the protection of personal data, especially when that data is highly sensitive.

The 23andMe Data Breach Explained

The breach was a result of a cyber-attack known as "credential stuffing." This is not a complex hack in the traditional sense. Instead, it exploits a common human behaviour: reusing passwords across different websites.

What is Credential Stuffing?

Credential stuffing works like this: attackers obtain lists of usernames and passwords from previous data breaches on other websites. They then use automated software to "stuff" these credentials into login pages of many different sites. If a user has reused their password, the attacker gains access.

In 23andMe's case, a threat actor used this method over several months to access customer accounts. Because of how 23andMe's platform was designed with the "DNA Relatives" feature, this initial access had a domino effect, allowing attackers to scrape data from thousands of connected relatives. In total, the personal data of 155,592 UK customers was accessed.

Where 23andMe Went Wrong: The ICO's Findings

The ICO found several serious failures:

1. Lack of Multi-Factor Authentication (MFA)

MFA was optional, not mandatory. The ICO stated that 23andMe had prioritised customer convenience over security. Of accounts with MFA enabled, none were compromised.

2. Weak Password Policies

Only 8 characters minimum, no complexity requirements, inadequate checking for common passwords.

3. Failure to Test for Common Threats

Despite credential stuffing being a widely known threat, 23andMe never simulated such an attack in their security tests.

4. Inadequate Monitoring and Response

The company missed multiple warning signs, including over one million logins in a single day and direct messages from someone claiming to have stolen data.

UK GDPR Compliance Checklist: Lessons from the 23andMe Data Breach

  • Understand Your Data: Know what personal data you hold, especially special category data.
  • Strengthen Your Logins: Make MFA mandatory, implement strong password policies.
  • Secure Your Website: Regularly test for vulnerabilities, monitor for suspicious activity.
  • Create a Response Plan: Know what to do in a breach, who investigates, when to report to ICO.
  • Review Your Privacy Notice: Ensure it's clear and transparent.
  • Train Your Staff: Everyone should understand their data protection responsibilities.

This case is a stark reminder that data protection is not just a box-ticking exercise. By understanding the mistakes made by 23andMe, you can take positive and practical steps to strengthen your own security and build trust with your customers.