UK Cybersecurity Regulatory Perspective for June 2025
The Information Commissioner's Office (ICO) has imposed a fine of £2.31 million on genetic testing company 23andMe, following a cyberattack in 2023 that exposed the personal information of over 155,000 UK residents. The breach, which involved sensitive genetic data, was primarily due to the company's failure to adequately protect this information, in breach of UK data protection law.
Key reasons for the fine included a credential stuffing attack that exploited reused credentials, allowing hackers to access accounts and exfiltrate sensitive data such as names, birth years, ethnicity, health reports, family history, and more. The company was also criticised for lacking multi-factor authentication, having ineffective rate-limiting and alerting on their login API, and overall having insufficient protections to prevent or quickly respond to unauthorized access.
The breach response was also slow and flawed, with the company taking four days to lock down compromised accounts and force password resets after discovering the breach, allowing customers to continue downloading raw genetic data for nearly a month post-breach without additional security, and delaying notifying the ICO by ten days, exceeding the 72-hour requirement under GDPR.
The breach notices to users were also deficient, failing to specify the breach period, omitting disclosure that raw genetic data might have been exposed, and lacking guidance on possible consequences. The ICO also criticised 23andMe for delays, incomplete information, prioritizing U.S. regulators, and not providing requested data properly during the investigation.
The ICO's fine was lower than the originally envisaged £4.59 million due to the company's breach reports deficiencies. Aggravating factors in the calculation of the fine included the delay in reviewing and improving security measures, the sensitive nature of the data, the distress caused to affected customers, and the potential for further harm.
The National Cyber Security Centre (NCSC) has launched a set of cyber-security culture principles, designed to support an organization's leaders and cyber-security specialists in creating a resilient and secure organization. The principles are accompanied by scenarios demonstrating the consequences of poor security stemming from work culture, and descriptions of best practice. The NCSC developed these principles following extensive research with industry and government partners.
The forthcoming National Cyber Strategy is expected to be influenced by the insights from the Cyber Growth Action Plan, which aims to analyze the UK's cyber products and services, explore new technologies, and identify opportunities presented by the Cyber Security and Resilience Bill. The plan also aims to increase cyber resilience by identifying areas for collaboration and sharing cyber best practices.
The Department for Science, Innovation and Technology (DSIT) has published its Cyber Growth Action Plan 2025, which will review the strengths of the country's cyber sector and provide a set of recommendations to government. The plan is part of a larger initiative to boost the UK's cybersecurity capabilities and protect citizens' personal information in the digital age. The Cyber Growth Action Plan 2025, published by the DSIT, will report this summer.
In light of the ICO's £2.31 million fine against 23andMe for a 2023 cyberattack, it is crucial for companies, especially those handling sensitive data like genetic information, to prioritize cybersecurity and finance adequate protections to prevent such breaches. The NCSC, in response, has launched a set of cybersecurity culture principles to help organizations create a resilient and secure environment. These principles, along with the forthcoming National Cyber Strategy, aim to boost the UK's cybersecurity capabilities, following insights from the Cyber Growth Action Plan and the Cyber Security and Resilience Bill.
