Cyber-security breaches and attacks remain a constant threat, increasing year-on-year as cyber-criminals become increasingly sophisticated and adept at accessing sensitive and confidential information. This is particularly concerning for life sciences companies, that frequently hold vast amounts of special category personal data, including genetic and health data. The 23andMe breach in June last year underscores the devastating consequences of vulnerabilities in data security. However, it also highlights the importance of robust cyber-security practices and data protection compliance.
In October 2023, genomics and biotechnology company 23andMe announced that it had experienced a significant personal data breach, impacting around 6.9 million users. This was not a result of infiltration of 23andMe's servers, but rather through compromising individual user accounts through a brute force attack technique known as credential stuffing (reusing previously leaked usernames and passwords). Hackers used the compromised accounts to gain access to highly sensitive profile information from users, including health reports and raw genotype data.
Perhaps one of the most concerning elements of this breach is that the affected individuals were not limited to those whose accounts had been compromised. Through the use of an opt-in feature, user accounts could be linked to other users with shared DNA profiles (DNA Relatives) and information concerning DNA Relatives could be accessed via a Family Tree feature. This means that the hackers were able to gain access to multiple users through accessing a single user's account.
Due to the international implications of this breach, the Information Commissioner's Office (ICO) and the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the adequacy of 23andMe's security measures and the effectiveness of their breach notification processes. The outcome of this investigation will pose some interesting questions for the industry in terms of compliance standards and techniques to mitigate risks. It remains to be seen where 23andMe will stand in terms of enforcement action. However, until then companies across the sector should take note of their own potential vulnerabilities to try to address them.
Life sciences companies frequently manage extensive repositories of special category personal data, from detailed genetic profiles to raw clinical trial data. Robust cyber-security frameworks are essential to protect this digitised data, along with other confidential and sensitive information.
For life sciences companies operating in the UK, it is also essential to fully understand obligations under data protection law, particularly in relation to data security. All organisations processing personal data must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. For life sciences companies that handle special category personal data daily, this obligation is even more important.
Ultimately, a proactive approach to data protection compliance not only protects personal data but fosters trust in the continually evolving landscape of the life sciences industry. Some key ways to enhance security of data include: