The U.K.’s data protection authority has fined genetic testing firm 23andMe £2.31 million ($3.1 million) for failing to adequately safeguard the personal and genetic data of U.K. residents prior to a major data breach in 2023. Reports Technology News
The Information Commissioner’s Office (ICO) announced the penalty on Tuesday, stating that 23andMe lacked additional verification measures for users attempting to access and download their raw genetic data at the time of the cyberattack.
The 2023 breach saw hackers exploit stolen credentials in a months-long campaign, gaining access to data from over 6.9 million users. The company’s failure to implement multi-factor authentication was cited as a key violation of U.K. data protection laws.
According to the ICO, more than 155,000 U.K. users were affected in the breach.
In response, 23andMe told TechCrunch it has since introduced mandatory multi-factor authentication for all user accounts.
The ICO also noted it is in contact with 23andMe’s trustee following the company’s bankruptcy protection filing. A hearing regarding the company’s potential sale is scheduled for later on Wednesday.
