Summary
The UK Information Commissioner's Office fined DNA testing company 23andMe £2.31 million for a 2023 data breach that exposed the personal information of thousands of people. The breach allowed hackers to access user accounts and data using passwords from other security leaks. The company's assets are set to be sold to a new owner, TTAM Research Institute, which promises to improve data protection.
Key Facts
- The data breach affected about 14,000 individual accounts and potentially exposed information related to around 6.9 million people.
- Hackers used a method called "credential stuffing" to access accounts; this involves trying passwords from previous security leaks.
- Sensitive information of 155,592 UK residents was compromised, including names, birth years, and health details, but not DNA records.
- The UK watchdog found that 23andMe did not have strong enough security measures, like multi-factor authentication, to protect user data.
- The company failed to improve its security quickly, leaving personal data at risk.
- 23andMe filed for bankruptcy and agreed to sell its assets to TTAM Research Institute for $305 million, with commitments to enhance data protections.
- A bankruptcy court is scheduled to review the sale agreement for approval.
- Both the UK and Canadian privacy watchdogs called for better protection of users' sensitive data.
