Genetic testing company 23andMe failed to take basic steps to protect customer data, according to a joint investigation by Canada and the U.K. into a massive global data breach that resulted in information from nearly seven million people being posted for sale online.
As a result, the U.K. is imposing a £2.31 million (C$4.24 million) fine on the company. Canada does not have the power to impose a similar penalty under current privacy laws.
Canada’s privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards revealed their findings at a news conference in Ottawa on Tuesday morning.
“With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” Dufresne said on Tuesday. “Our investigation found that these types of security measures were not in place at 23andMe.”
In September, 23andMe agreed to pay US$30 million to settle a lawsuit after hackers accessed the personal data of 6.9 million customers and posted their information for sale on the dark web, including data from nearly 320,000 people in Canada and more than 150,000 people in the U.K. The 2023 attack appeared to specifically target customers with Chinese and Ashkenazi Jewish ancestry.
“The compromised data included highly sensitive information related to health, race and ethnicity information as well as information about relatives, date of birth, sex at birth and gender,” Dufresne explained. “Much of this information was derived from individuals’ DNA. The breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyber threats.”
The joint investigation by privacy authorities in Canada and the U.K. was launched in June 2024 to examine the scope of the breach and 23andMe’s response.
“People affected by this breach told us that they felt anxious about what it could mean to their personal, financial and family safety,” Edwards said at the press conference on Tuesday. “As one of those impacted told us, unlike usernames, passwords and email addresses, you can’t change your genetic makeup when a data breach occurs.”
23andMe filed for bankruptcy in March. On June 13, it was announced that a non-profit led by 23andMe co-founder Anne Wojcicki would purchase the troubled company for US$305 million.
Founded in 2006, 23andMe claims to have more than 15 million customers worldwide. The business was centred on at-home DNA testing kits that use saliva samples to provide genetic insights about health risks and ancestry. The California-based company went public in 2021, but never made a profit.
“23AndMe failed to take basic steps to protect people’s information,” Edwards said. “Their security systems were inadequate, the warning signs were there and the company was slow to respond. This left people’s most sensitive personal data vulnerable to exploitation and harm.”
The investigation also found that 23andMe did not adequately notify regulators and affected customers of the breach as required by Canadian and U.K. laws. Dufresne said they were concerned to find the stolen data was later offered for sale online.
“Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information,” Dufresne said. “Organizations must also take proactive steps to protect against cyberattacks. This includes using multi-factor authentication, strong minimum password requirements, compromised password checks, and adequate monitoring to detect abnormal activity.”
Dufresne also called for modernized privacy laws in Canada that would allow him to issue fines and orders like his counterpart in the U.K.
“This is something that exists broadly around the world in privacy authorities and it is something that is necessary,” Dufresne said. “You can see in a case like this in terms of cybersecurity, in terms of things where time is of the essence, where there are real consequence, this is a gap.”
In a statement to CTV News, a 23andMe spokesperson said by the end of 2024 the company “had implemented multiple steps to increase security to protect individual accounts and information.” 23andMe’s new owner, they added, has “made several binding commitments to enhance protections for customer data and privacy,” including allowing users to delete their accounts and opt out of having their information used for research.
With files from Reuters and CNN
