Genetic testing firm 23andMe has been fined £2.31 million by a UK watchdog over a 2023 data breach, when the personal information of seven million people across the world was stolen.
The Information Commissioner's Office (ICO) said the California-based company, which later filed for bankruptcy, failed to put adequate measures in place to secure sensitive user data.
The company is well-known for its saliva-based test kits that offer a glimpse into a person’s genetic ancestry.
More than 150,000 UK residents had their personal information taken by hackers.
They include names, year of birth, geographical information, profile pictures, race, ethnicity, health reports, and family trees.
The ICO investigation, conducted jointly with Canada's privacy watchdog, found that 23andMe breached UK data protection law by not implementing adequate safeguards during its login process.
UK's Information Commissioner John Edwards described it as a "profoundly damaging" breach that exposed sensitive information of thousands of people in the UK.
Though the privacy breach attacks started in April 2023, 23andMe did not begin an investigation until October that year, when an employee discovered the stolen data on Reddit.
The data breach led to lawsuits in different countries. A US case was settled last year for $30-million, while a Canadian suit is still pending.
By March this year, the company filed for bankruptcy protection in the US, as it was unable to rebuild trust after the hack and falling revenues.
However, following a bankruptcy auction, its former chief executive, Anne Wojcicki, is poised to retake control.
It will now be sold for £225m to Wojcicki and her non-profit TTAM.
