Cyber attack on DNA data bank leads to R54.29 million fine for UK-based genetic testing company

23andMe was fined £2.31 million (R54.29 million) by UK regulators after a 2023 cyber attack exposed users’ genetic data in yet another privacy crisis surrounding the troubled DNA data bank.

The UK Information Commissioner’s Office announced the penalty Tuesday after a joint investigation with its Canadian counterpart. The former Silicon Valley startup violated UK data-protection laws, it said, by failing to put in place: appropriate authentication measures for customer login, relevant security steps for accessing raw genetic data and measures to detect and respond to cyber threats.

The shortcomings allowed a hacker to access the personal information of more than 150,000 UK residents in 2023, potentially revealing data including their names, profile images, location and health reports. Despite the hacking activity starting in April, the company didn’t start a full investigation until October, when an employee discovered stolen data had been advertised for sale on Reddit, according to the regulator.

“23andMe failed to take basic steps to protect this information,” UK Information Commissioner John Edwards said in a statement. “This left people’s most sensitive data vulnerable to exploitation and harm.”

The San Francisco-based firm filed for bankruptcy in March after failing to generate sustainable profits with its medical and ancestry-related genetic testing. The sale of its valuable trove of genetic data from millions of users has sparked complaints from customers and government officials.

Former CEO Anne Wojcicki and nonprofit TTAM Research Institute have won an auction for the firm’s assets.