23andMe Data Breach: UK Watchdog Issues Fine

23andMe Fined by U.K. Data Protection Watchdog

The U.K.’s data protection authority has issued a fine of £2.31 million (equivalent to $3.1 million) to 23andMe. This penalty stems from a failure to adequately safeguard the personal and genetic information of individuals residing in the U.K. prior to the data breach experienced in 2023.

Insufficient Data Security Measures

According to the Information Commissioner’s Office (ICO), the genetic testing company lacked crucial security protocols. Specifically, it “did not implement supplementary verification procedures for users seeking to access and download their raw genetic data” when the cyberattack occurred.

The 2023 breach involved hackers successfully obtaining private data from over 6.9 million users. This occurred over several months, facilitated by access to thousands of accounts using compromised login credentials.

Lack of Multi-Factor Authentication

23andMe did not mandate the use of multi-factor authentication for its users. The ICO determined this omission constituted a violation of U.K. data protection regulations.

Over 155,000 U.K. residents were affected by the data theft incident.

Response and Bankruptcy Proceedings

Following the ICO’s fine, 23andMe communicated to TechCrunch that it has since implemented mandatory multi-factor authentication across all user accounts.

The ICO is currently engaging with 23andMe’s trustee in light of the company’s recent filing for bankruptcy protection. A court hearing regarding the potential sale of 23andMe is scheduled for later on Wednesday.

Key Takeaways

• 23andMe received a £2.31 million fine from the U.K. data protection authority.
• The fine relates to data security failures preceding the 2023 data breach.
• A lack of multi-factor authentication was a significant contributing factor.
• Over 155,000 U.K. residents had their data compromised.