UK regulators on Tuesday fined 23andMe 2.31 million pounds ($3.1 million) for data privacy violations stemming from the company’s massive data breach in 2023.

The Information Commissioner’s Office says the genetic testing company, which has since filed for Chapter 11 bankruptcy protection in the US, failed to put in place “appropriate” security measures to protect the personal information of its UK users, compromising that data in the breach. The UK fine comes after a joint investigation by the ICO and Canada’s Office of the Privacy Commissioner.

In a statement, UK Information Commissioner John Edwards called the breach “profoundly damaging,” noting that it exposed sensitive personal information, including the family histories and health conditions of thousands of people in the UK. 

“Their security systems were inadequate,” Edwards said. “The warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

In 2023, cybercriminals breached 23andMe’s systems by using a “credential-stuffing attack,” which involves bombarding online accounts with huge sets of user names and passwords stolen in previous unrelated attacks. Over a period of months, the intruders were able to make off with the personal data of more than 6.9 million people, including about 155,000 UK residents.

The ICO said Tuesday that at the time of the breach, 23andMe didn’t require additional verification, like a biometric indicator or a code sent to their phone, to access user accounts, which violates UK law. The company has since changed its practices to turn on two-factor authentication by default.

Mounting costs related to the breach, along with fading demand for its services, were key factors in 23andMe’s decision to file for bankruptcy protection earlier this year. The move also caused tech and legal experts to wonder about the future security and privacy of the company’s vast collection of consumer genetic samples and personal data.

A bid from Regeneron Pharmaceuticals to buy most of the company’s assets for $256 million was met with criticism, but that company was ultimately outbid last week by the TTAM Research Institute, a nonprofit led by Anne Wojcicki, 23andMe’s cofounder and former CEO. That deal remains subject to final court approval and customary closing conditions.