The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1m) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach.
The Information Commissioner’s Office (ICO) said on Tuesday it has fined the genetic testing company as it “did not have additional verification steps for users to access and download their raw genetic data” at the time of its cyberattack.
In 2023, hackers stole private data on more than 6.9 million users’ over a months-long campaign by accessing thousands of accounts using stolen credentials. 23andMe did not require its users to use multi-factor authentication, which the ICO said broke U.K. data protection law.
The ICO said over 155,000 U.K. residents had their data stolen in the breach.
In response to the fine, 23andMe told TechCrunch that it had rolled out mandatory multi-factor authentication for all accounts.
The ICO said it is in contact with 23andMe’s trustee following the company’s filing for bankruptcy protection. A hearing on 23andMe’s sale is expected later on Tuesday.
