The genetic testing company 23andMe has been fined over £2.3m for not safeguarding the personal data of 150,000 UK residents following a cyberattack in 2023. Sensitive information like family trees, health reports, names, and postcodes were stolen from the California-based firm. The breach was only confirmed after an employee noticed the data being sold on Reddit, months after the attack began, as reported by the UK Information Commissioner’s Office.

The breach, which lasted several months in 2023, was described by the information commissioner, John Edwards, as a severe violation. While UK data was compromised, a total of 7 million individuals were affected by the breach. 23andMe charges £89 for DNA testing kits that reveal ancestry and ethnicity, but many users requested their data to be removed after the hack. The company filed for bankruptcy protection in the US in March.

The fine was imposed as a $305m bid led by former CEO Anne Wojcicki aimed to regain control of the company in a bankruptcy auction. Edwards stated that the breach exposed sensitive personal information, family histories, and health conditions of thousands in the UK. The company was found to have inadequate security systems and failed to take necessary steps to protect user data, including implementing stronger authentication measures.

The hacker exploited a common weakness by using stolen passwords from other breaches in a tactic known as “credential stuffing”. Edwards criticized the company for being slow to respond to the breach, leaving users vulnerable to exploitation. 23andMe has since taken steps to enhance security measures, including allowing users to delete accounts and opt out of research, and offering identity theft monitoring for two years.

The ICO has issued several multimillion pound fines for data breaches in recent years, including a £4.4m fine to Interserve in 2022 and a £3.1m fine to Advanced Computer Software Group in March for security failings.