Genetic data company 23AndMe has a “inadequate” security system and was “slow to respond” to warning signs that sensitive customer data was at risk before “deeply damaging” the 2023 data breach, privacy officials said.
Canadian Privacy Commissioner Philip Dufflein and UK Information Commissioner John Edwards released the results of a joint investigation into the violation on Tuesday.
The survey found that out of the approximately 7 million people around the world, roughly 320,000 Canadians and over 150,000 people in the UK have been infringing sensitive genetic information by hackers.
Dufresne said Tuesday that the violation will serve as a “cautionary substance” for all organizations regarding the importance of data protection.
Dufresne added that 23AndMe lacks security measures including proper authentication and validation measurements as part of the login process, including multifactor authentication and strong minimum password requirements.
“As the severity and complexity increase and the rapid rise of ransomware and malware attacks, organizations that do not prioritize data protection and take steps to address these threats become increasingly vulnerable,” Dufresne said.
The Canadian Privacy Commissioner has no authority to impose a fine, but the UK Information Commissioner can impose a fine. In this case, the company is fined a total of £2.31 million.
The fine was the result of 23andMe, and “we were unable to implement appropriate security measures to protect the personal information of our users in the UK,” Edwards said.
Edwards said the October 2023 data breaches violated sensitive personal information, family history and even health.
Get weekly health news
Receive the latest medical news and health information provided every Sunday.
“This was a very harmful offence,” he said.
“23AndMe was unable to take basic steps to protect people's information. The security system was insufficient. The warning signs were there and the company responded slower.
He went on to tell reporters that his office had heard from people affected by the violation, and that he felt “uncertain” about what they meant for their personal, financial and family safety.
According to Dufresne, their investigations found that stolen data is also sold online, putting the personal information of loving individuals “an added risk.”
The company settled the lawsuit late last year, accusing 23andme of failing to protect the privacy of the 6.9 million customers whose personal information was exposed for violations. The company was ordered to pay US$30 million and provide three years of security monitoring.
For months after the violation, the company has faced many issues, including seeing the value of its public list fall by more than 97%, with the resignation of seven independent directors who resigned last September amid news that the original founder had planned to make it private again.
Trend now
Donald Trump leaves G7 Summit early due to the Middle East crisis
The Minnesota Senator's wife protected her daughter from shooting, ne's
The company never made a profit and filed for bankruptcy in March, attempting to sell its business at auction after declining demand and a data breach in 2023.
Regeneron Pharmaceuticals last month agreed to buy the company for US$256 million, but refused to file a new bid for the company after 23andMe co-founder Anne Wojcicki violated the offer on Monday after filing US$305 million from a nonprofit she controlled.
Her nonprofit TTAM Institute said the bid from Wojcicki is expected to close in the coming weeks after the scheduled court hearing is scheduled for Tuesday. The nonprofit organization supports 23andMe's existing privacy policy and said it complies with all applicable data protection laws.
Reporters also ask Dufresne about Wojcicki, who was CEO during the data breach, and could take over again and sell the data outside of the company.
He said the company has taken steps to address some of the recommendations made by him and Edwards' office and has received guarantees from new buyers who respect the existing privacy policies and provisions.
“In our report we have shown that we will follow this with caution. The obligation should continue to apply to new owners, indicating that citizens can reach out to us and take appropriate measures,” Dufresne said.
He added that his office cannot impose fines, but that it has made recommendations to the government and is working with the international community when necessary. He said that in “the appropriate case,” he could apply to federal court to seek an order that would fulfill his binding obligations on the organisation.
But Edwards issued an even more harsh warning to 23andMe that if the lawsuit is not filed, it could face further fines and enforcement.
“These are continuing obligations, so they were drawn to the leadership's attention that they were violating,” Edwards said. “They have failed to reach the required standards in UK law. If they do not correct it, they may maintain their violations and be exposed to further enforcement action.”
-Using files from Reuters
There are more videos in Canada
&Copy 2025 Global News, a division of Corus Entertainment Inc.