The UK Data Protection Watchdog has fined 23andme £2.31 million ($3.1 million) for failing to protect the individual and genetic data of UK residents prior to the 2023 data breaches.
The Information Committee (ICO) said Tuesday it fined the genetic testing company for “there were no additional verification procedures for users to access and download raw genetic data” during the cyberattack.
In 2023, hackers stole private data about their campaigns of over 6.9 million users' by accessing thousands of accounts using stolen credentials. 23AndMe did not require users to use multifactor authentication. The ICO said it has violated UK data protection laws.
The ICO said more than 155,000 UK residents had their data stolen in violations.
In response to the fine, 23andme told TechCrunch that it had deployed mandatory multifactor authentication for all accounts.
The ICO said it has contacted the 23andme trustee after the company filed it for bankruptcy protection. A hearing on the sale of 23andme is expected later on Wednesday.