23andMe 'failed to take basic steps' to protect private information, investigation finds

DNA testing company 23andMe didn't have adequate data protections and ignored warning signs ahead of a massive data breach almost two years ago, an investigation by Canada's privacy commissioner found.

Commissioner Philippe Dufresne told reporters that proper protections were not in place in 2023 when hackers gained access to roughly 6.9 million profiles on the site — nearly half its client base.

"The breach serves as a cautionary tale for all organizations about the importance of data protections," Dufresne said during a news conference on Tuesday.

"With data breaches growing in severity and complexity — and ransomware and malware attacks rising sharply — any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable."

Customer profiles contained delicate personal data, including birth year, geographic location, health information and the percentage of DNA users share with their relatives. Dufresne said some of the stolen info was later being sold online.

The investigation was launched last year in conjunction with U.K. information commissioner John Edwards.

"23andMe failed to take basic steps to protect people's information, their security systems were inadequate, the warning signs were there and the company was slow to respond," Edwards said.

Like other genetic testing businesses, 23andMe uses saliva samples to generate reports about a customer's ancestry as well as potential predispositions to certain health conditions.

WATCH | UK Information Commissioner John Edwards slaps 23andMe with fine:

In a joint press conference held Tuesday morning in Ottawa, UK Information Commissioner John Edwards announced a fine of 2.31 million GBP against the genetic testing company 23andMe. This decision follows a collaborative investigation with Privacy Commissioner of Canada Philippe Dufresne. Edwards stated that the company failed to implement fundamental security measures necessary to protect personal information worldwide.

Nearly 320,000 Canadians and 150,000 people in the U.K. were impacted by the 2023 breach, the commissioners said.

Edwards said that the U.K. has slapped the San Francisco-based company with a $4.2-million fine over the data breach, but Dufrense said he doesn't have the power to hit the company with monetary penalties.

"[The authority to fine companies] is something that exists broadly around the world in privacy authorities and it is something that is necessary. Unfortunately, Canadian privacy law does not yet provide this to me," Dufrense said.

Legal changes have been proposed in the past that would give the privacy commissioner the authority to levy fines, but have never been enacted. Dufrense said he hopes the new Parliament will propose changes again soon.

WATCH | Canada's privacy commissioner says his office should be able to impose fines:

Canada’s Privacy Commissioner Philippe Dufresne is calling for better tools, saying Canadian law prevents him from issuing fines like his U.K. counterpart did following an investigation into genetics testing company 23andMe following a global data breach.

23andMe filed for bankruptcy earlier this year and announced that it would be selling off its assets — meaning customers' data could be "accessed, sold or transferred." However, the company said the bankruptcy process will not affect how it stores, manages or protects customer data.

Dufresne and Edwards said they expect the company to adequately protect user data during any sale.

"We will be following this carefully … the [privacy] obligations should continue to apply to any new owner," Dufresne said.