On Friday 10 th October, we held our annual Barn Dance and wow, what a night it was! With fantastic food, magnificent music and an amazing atmosphere, this may well have been the best one yet! The event was an incredible success, with us raising...
A company that provides direct-to-consumer genetic testing services has been fined £2.31 million by the Information Commissioner's Office (ICO) for failing to implement appropriate security measures to protect the personal information of UK users.
Between April and September 2023, the company's platform was subjected to a credential stuffing attack, a type of cyberattack where stolen account credentials such as usernames and passwords are used to gain unauthorised access to user accounts on other systems. This resulted in unauthorised access to the personal information of 155,592 UK users.
The stolen personal data had been offered for sale on a number of online forums. At least some of the data constituted special category data, including personal data relating to health and genetic data, and data relating to the racial or ethnic origin of customers.
Following a joint investigation by the ICO and the Office of the Privacy Commissioner of Canada, the ICO found that the company had infringed Articles 5(1)(f) and 32(1)(b) and (d) of the UK General Data Protection Regulation (GDPR) by failing to implement:
- appropriate authentication and verification measures as part of its customer login process;
- appropriate security measures specifically focused on access to and downloading of special category data;
- measures that enabled the company to detect and appropriately respond to threats to its customers' personal data; and
- an appropriate process for regularly testing and assessing the effectiveness of its technical and organisational security measures, specifically in relation to the threat posed by a credential stuffing attack.
The ICO concluded that the infringements constituted a serious failure to comply with the requirements of Articles 5(1)(f) and 32(1) of the GDPR. The seriousness of the infringements was aggravated by the sensitivity of the personal data processed by the company and the large number of data subjects. It was further aggravated by the company's failure to identify the breach at an earlier stage, despite multiple indications of anomalous and unauthorised activity, as well as deficiencies in its notification of the breach to the ICO.
Taking all the circumstances into account, the ICO considered that the imposition of a penalty of £2.31 million was an effective, proportionate and dissuasive response to the infringements.