博客

阅读正文

On June 17, 2025, the genetic testing company 23andMe faced a hefty fine of over 2.3 million pounds from the UK’s data protection watchdog following a major data breach in 2023. This incident impacted more than 150,000 UK residents, exposing sensitive data such as family trees, health reports, and personal information. The breach went unnoticed for several months until the stolen information appeared for sale on Reddit, prompting intervention from the UK Information Commissioner’s Office (ICO). John Edwards, the information commissioner, described the breach as ‘profoundly damaging’, noting that the stolen data, unlike credit card details, could not be easily changed or replaced, thereby increasing the severity of the event. 23andMe, headquartered in California, typically offers DNA screenings for 89 pounds, allowing customers to delve into their ancestry and ethnicity. However, the breach led many to request the deletion of their data. The company faced additional turmoil, filing for bankruptcy protection in the US in March. The breach was enabled by users reusing previously compromised passwords, a method hackers exploit known as ‘credential stuffing’, where automated tools test multiple password combinations. In response, 23andMe committed to strengthening its security measures. Amidst the crisis, Anne Wojcicki, the company’s former CEO, is set to regain control of 23andMe through a bankruptcy auction. Her non-profit has vowed to enhance data privacy, offering users the ability to delete their data and opt out of research at any time. This fine is part of a series of multimillion-pound penalties issued by the UK regulator for data breaches, including against companies like Interserve and an NHS IT supplier. This incident underscores the ongoing challenge of safeguarding personal information in an increasingly digital world.