The 23ndme genetic testing company has been fined with more than 2.3 million pounds for its failure to protect personal information for more than 150,000 UK residents after a large -scale electronic attack in 2023.
Family trees, health reports, names and postal symbols were among the sensitive data that was hacked from its California -based company. She confirmed only the breach months after the start of infiltration and as soon as the employee saw the stolen data announced for sale on the Reddit social media platform, according to the UK Information Commissioner – which imposed the fine.
Information Commissioner, John Edwards, described the incident that lasted months ago during the summer of 2023 as “a deep harmful breach.” UK data solution was just a small part of the wider losses, with data 7 million The affected.
23ndme users receive 89 pounds sterling to examine their DNA using a salivary group, allowing them to discover where their ancestors came from their race and location. But many customers asked to delete their DNA data from the company’s archive after hacking and submitted a request to protect bankruptcy in the United States in March.
The fine came as a value of $ 305 million to buy the company, led by former CEO, Ann Wujiki, She seemed to be preparing To restore control of the company at the bankruptcy auction.
Edwards said data breach is “sensitive information, family history, and even health conditions for thousands of people in the United Kingdom.”
He said, “As one of the affected people told us: Once this information exists, it cannot be changed or re -released, such as the password or credit card number,” he said.
The UK data protection regulator found that 23andme failed to take the basic steps to protect information and safety systems were insufficient. Violations included failure to stabilize the most striking user authentication.
The infiltrator took advantage of a common weakness caused by users re -passwords that have already been stolen into other relevant data violations. Then infiltrators used automated tools to try these passwords in a tactic called “accreditation”.
“The warning signs were there, and the company was slow to respond,” said Edwards, who conducted the investigation in conjunction with Canada’s Privacy Commissioner. “This has left people’s most sensitive data vulnerable to exploitation and damage.”
After promoting the newsletter
A company spokesman said that 23andme has since implemented multiple steps to increase security to protect individual accounts and information. They said that as part of the deal to get 23andme, the TTAM Institute of Research in WoJCICKI submitted “obligations obligated to enhance protection for customer and privacy data, including allowing individuals to delete their account in order to get rid of customers at any time” and “agree to not sell or transfer genetic data according to post -banking.”
The fine is among the several million of the pound penalties that ICo has seized in recent years to not protect data from the attacks and ransom attacks. In 2022, that a fine The construction company overlaps £ 4.4 million when employee data, including communication details, bank accounts, sexual orientation, and health.
In March this year a fine Supplier to be
