• Contact Us

23andMe Data Breach: strengthening defences and compliance in the life sciences industry

on Tuesday, 16 July 2024.

For life sciences companies processing health or genetic data, useful lessons can be taken from the 23andMe data breach, which is back in the spotlight thanks to a joint investigation by the UK and Canadian data protection authorities.

Cyber-security breaches and attacks remain a constant threat, increasing year-on-year as cyber-criminals become increasingly sophisticated and adept at accessing sensitive and confidential information. This is particularly concerning for life sciences companies, that frequently hold vast amounts of special category personal data, including genetic and health data. The 23andMe breach in June last year underscores the devastating consequences of vulnerabilities in data security. However, it also highlights the importance of robust cyber-security practices and data protection compliance.

Understanding the 23andMe personal data breach

In October 2023, genomics and biotechnology company 23andMe announced that it had experienced a significant personal data breach, impacting around 6.9 million users. This was not a result of infiltration of 23andMe's servers, but rather through compromising individual user accounts through a brute force attack technique known as credential stuffing (reusing previously leaked usernames and passwords). Hackers used the compromised accounts to gain access to highly sensitive profile information from users, including health reports and raw genotype data.

Perhaps one of the most concerning elements of this breach is that the affected individuals were not limited to those whose accounts had been compromised. Through the use of an opt-in feature, user accounts could be linked to other users with shared DNA profiles (DNA Relatives) and information concerning DNA Relatives could be accessed via a Family Tree feature. This means that the hackers were able to gain access to multiple users through accessing a single user's account.

Due to the international implications of this breach, the Information Commissioner's Office (ICO) and the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the adequacy of 23andMe's security measures and the effectiveness of their breach notification processes. The outcome of this investigation will pose some interesting questions for the industry in terms of compliance standards and techniques to mitigate risks. It remains to be seen where 23andMe will stand in terms of enforcement action. However, until then companies across the sector should take note of their own potential vulnerabilities to try to address them.

Key Strategies for enhancing cyber-security and data protection compliance

Life sciences companies frequently manage extensive repositories of special category personal data, from detailed genetic profiles to raw clinical trial data. Robust cyber-security frameworks are essential to protect this digitised data, along with other confidential and sensitive information.

For life sciences companies operating in the UK, it is also essential to fully understand obligations under data protection law, particularly in relation to data security. All organisations processing personal data must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. For life sciences companies that handle special category personal data daily, this obligation is even more important.

Ultimately, a proactive approach to data protection compliance not only protects personal data but fosters trust in the continually evolving landscape of the life sciences industry. Some key ways to enhance security of data include:

  • Managing linked datasets: It is essential to have a clear understanding of the data you hold and mechanisms in place linking multiple datasets. For instance, sharing clinical trial data and utilising raw datasets for further research purposes. Where datasets are linked, additional safeguards and controls should be implemented to minimise the potential spread of a security incident.
  • Protect against credential surfing: If your company provides products and services directly to consumers, consider additional measures to secure access to sensitive information. For instance, minimum password security requirements, educating users to not reuse passwords at the point of selecting a password, and use of separate areas for storage of special category data that require a different password can help minimise risk.
  • Employee training and awareness: Human error is perhaps the most significant risk to data security. Ensuring all employees who have access to personal data in the course of their duties have regular and effective training on data security and compliance to internal protocols are regularly tested, such as through simulated phishing attacks.
  • Data Protection Impact Assessments (DPIA): Using DPIAs to systematically consider processing activities in detail to identify vulnerabilities and measures that may be implemented to mitigate risks. When using digital or technological solutions, this is even more important to ensure that you are considering cyber risk.
  • Data breach preparedness: Where a breach poses a risk to affected individuals, it must be reported to the ICO within 72 hours. Developing a clear process to facilitate investigation and communication to the ICO (and other regulators) ensures compliance with obligations and can help mitigate risk.

If you require a review of your business's compliance with data protection law, require advice on topics raised in this article, or more widely, please contact Hannah Sterry in our Data Protection team on 07771 316 095, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input