Privacy Commissioner of Canada Philippe Dufresne leaves after a news conference at the National Press Theatre in Ottawa on Thursday, Feb. 29, 2024. (THE CANADIAN PRESS/Justin Tang)

Genetic testing company 23andMe failed to take basic steps to protect customer data, according to a joint investigation by Canada and the U.K. into a massive global data breach.

As a result, the U.K. is imposing a £2.31 million fine on the company. Canada does not have the power to impose a similar penalty.

Canada’s privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards revealed their findings at a news conference in Ottawa on Tuesday morning.

“With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” Dufresne said on Tuesday. “Our investigation found that these types of security measures were not in place at 23andMe.”

In September, 23andMe agreed to pay US$30 million to settle a lawsuit after hackers accessed the personal data of nearly seven million customers and posted their information for sale on the dark web, including data from nearly 320,000 people in Canada. The 2023 attack appeared to specifically target customers with Chinese and Ashkenazi Jewish ancestry.

The joint investigation by privacy authorities in Canada and the U.K. was launched in June 2024 to examine the scope of the breach and 23andMe’s response.

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” Dufresne said in a news release when the investigation was announced. “Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

23andMe filed for bankruptcy in March. On June 13, it was announced that a non-profit led by 23andMe co-founder Anne Wojcicki would purchase the troubled company for US$305 million.

Founded in 2006, 23andMe claims to have more than 15 million customers worldwide. The business was centred around at-home DNA testing kits that use saliva samples to provide genetic insights about health risks and ancestry. The California-based company went public in 2021, but never made a profit.

23andMe saliva collection kit A 23andMe saliva collection kit is shown on March 25, 2025, in Oakland, Calif. (AP Photo/Barbara Ortutay)

With files from Reuters and CNN