23andMe Fined £2.3 Million for Data Breach, Files for Bankruptcy Protection
23andMe has been fined £2.3 million by a UK watchdog for a 2023 data breach affecting over 6.9 million users, leading to bankruptcy protection filing.
Overview
- 23andMe was fined £2.3 million by the UK Information Commissioner's Office for a data breach affecting over 6.9 million users.
- The breach involved a 'credential stuffing' attack, where hackers accessed user accounts due to weak authentication measures.
- UK regulators cited the company's lack of secure password requirements and additional verification steps as reasons for the fine.
- Following the fine, 23andMe filed for bankruptcy protection in the US, indicating severe financial repercussions from the breach.
- In response to the incident, 23andMe has implemented mandatory multi-factor authentication to enhance user account security.
Content generated by AI—learn more or report issue.
Get both sides in 5 minutes with our daily newsletter.
Analysis
Emphasizes 23andMe's significant data breach and regulatory fines due to inadequate security measures.
23andMe experienced a "credential stuffing" attack in October 2023, resulting in the theft of private data from over 6.9 million users.
The ICO found that 23andMe violated UK data protection law by failing to implement multi-factor authentication for customer login.
The company lacked secure password requirements and additional verification steps for users to download raw genetic data, as noted by the ICO.
23andMe was fined £2.31m by a UK watchdog for a data breach in 2023 that exposed the personal information of over 150,000 UK residents.
Articles (3)
"…23andMe failed to take basic steps to protect the information and their security systems were inadequate, the UK data protection regulator found."
The Guardian·7d·"…This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions."
BBC News·7d·"…The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1m) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach."
TechCrunch·7d·FAQ
The breach exposed users' ancestry information, genetic health data, profile names, photos, birth years, locations, family surnames, grandparents' birthplaces, ethnicity estimates, mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup, and optionally shared text in the 'About' section.
The hackers used credential stuffing attacks, exploiting the reuse of passwords across different websites and the lack of multi-factor authentication on 23andMe accounts, allowing access to accounts with weak authentication measures.
Approximately 6.9 million users' data was accessed through the breach, with around 14,000 user accounts directly compromised due to reused credentials.
23andMe implemented mandatory multi-factor authentication for user accounts and launched an investigation upon discovering the breach.
23andMe was fined £2.3 million by the UK Information Commissioner's Office for failing to secure user accounts properly and subsequently filed for bankruptcy protection in the United States due to the financial repercussions of the breach.
History
- 7d3 articles