An investigation by Canada’s privacy commissioner revealed that DNA testing company 23andMe lacked sufficient data protections and disregarded warning signs prior to a significant data breach almost two years ago. Commissioner Philippe Dufresne emphasized that in 2023, the company did not have adequate safeguards in place when hackers accessed around 6.9 million profiles, affecting nearly half of its client base. Dufresne highlighted the breach as a reminder to all organizations about the critical importance of data protection amid the increasing severity and complexity of data breaches, ransomware attacks, and malware threats.
The compromised customer profiles contained sensitive personal information such as birth year, location, health details, and DNA shared with relatives, with some stolen data reportedly being sold online. The investigation, conducted in collaboration with U.K. information commissioner John Edwards, found that 23andMe failed to implement basic security measures to safeguard people’s information, leading to a delayed response to the breach.
As with other genetic testing companies, 23andMe utilizes saliva samples to provide ancestry reports and insights into potential health predispositions for customers. The breach impacted nearly 320,000 Canadians and 150,000 individuals in the U.K., resulting in a $4.2-million fine imposed by the U.K. on the San Francisco-based company. However, Dufresne noted that Canadian privacy laws currently do not grant him the authority to levy financial penalties, highlighting the need for legal changes to empower privacy authorities to enforce fines.
While 23andMe has filed for bankruptcy and announced plans to sell its assets, potentially impacting customer data, the company assured that the bankruptcy process would not compromise data storage, management, or protection. Dufresne and Edwards emphasized the importance of ensuring continued data protection for users during any sale, with Dufresne underscoring the ongoing privacy obligations that should apply to any future owner of the company.