UK watchdog fines 23andMe over 2023 data breach

The U.K. Information Commissioner's Office (ICO) has imposed a fine of £2.31 million ($3.1 million) on genetic testing firm 23andMe due to its inadequate measures to safeguard the personal and genetic information of U.K. residents prior to a significant data breach in 2023. The ICO announced on Tuesday that the company failed to implement necessary verification processes, which allowed users to access and download their raw genetic data without sufficient security. This lack of protection proved detrimental when hackers compromised the accounts of over 6.9 million users, exploiting stolen credentials over several months. The investigation revealed that the absence of multi-factor authentication was a critical oversight, constituting a violation of U.K. data protection regulations. As a result of the breach, more than 155,000 individuals in the U.K. had their personal data unlawfully accessed. In light of the fine, 23andMe has stated that it has since introduced mandatory multi-factor authentication for all accounts, enhancing security measures for its users. Furthermore, the ICO is currently collaborating with the trustee of 23andMe following the company's move to file for bankruptcy protection. A court hearing regarding the sale of the company is anticipated later today.