X

UK Watchdogs Fine 23andMe $3.1M for Data Security Violations

The fine stems from the company's massive and "profoundly damaging" 2023 data breach.

Headshot of Bree Fowler
Headshot of Bree Fowler
Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, three-star world marathoner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise Cybersecurity, Digital Privacy, IoT, Consumer Tech, Running and Fitness Tech, Smartphones, Wearables
Bree Fowler
2 min read
gettyimages-1167443638

UK fines 23andMe for data protection violations.

 Getty

UK regulators on Tuesday fined 23andMe 2.31 million pounds ($3.1 million) for data privacy violations stemming from the company's massive data breach in 2023.

The Information Commissioner's Office says the genetic testing company, which has since filed for Chapter 11 bankruptcy protection in the US, failed to put in place "appropriate" security measures to protect the personal information of its UK users, compromising that data in the breach. The UK fine comes after a joint investigation by the ICO and Canada's Office of the Privacy Commissioner.

In a statement, UK Information Commissioner John Edwards called the breach "profoundly damaging," noting that it exposed sensitive personal information, including the family histories and health conditions of thousands of people in the UK. 

"Their security systems were inadequate," Edwards said. "The warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm."

In 2023, cybercriminals breached 23andMe's systems by using a "credential-stuffing attack," which involves bombarding online accounts with huge sets of user names and passwords stolen in previous unrelated attacks. Over a period of months, the intruders were able to make off with the personal data of more than 6.9 million people, including about 155,000 UK residents.

The ICO said Tuesday that at the time of the breach, 23andMe didn't require additional verification, like a biometric indicator or a code sent to their phone, to access user accounts, which violates UK law. The company has since changed its practices to turn on two-factor authentication by default.

Mounting costs related to the breach, along with fading demand for its services, were key factors in 23andMe's decision to file for bankruptcy protection earlier this year. The move also caused tech and legal experts to wonder about the future security and privacy of the company's vast collection of consumer genetic samples and personal data.

A bid from Regeneron Pharmaceuticals to buy most of the company's assets for $256 million was met with criticism, but that company was ultimately outbid last week by the TTAM Research Institute, a nonprofit led by Anne Wojcicki, 23andMe's cofounder and former CEO. That deal remains subject to final court approval and customary closing conditions.