23andMe Data Breach a Warning to Prioritize Privacy Protection, Canada's DPA Says
A global data breach at 23andMe in 2023 is "a cautionary tale" for all organizations about the importance of protecting data in an era of growing cyber threats, Canadian Privacy Commissioner Philippe Dufresne said Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
A joint investigation launched in June 2024 by the Canadian Office of the Privacy Commissioner (OPC) and the U.K. Information Commissioner's Office (ICO) found that the company lacked adequate security measures to protect the personal data of seven million users, including around 320,000 Canadians.
Between April and September 2023, a hacker carried out a credential-stuffing attack on the company's platform, exploiting reused login credentials that were stolen during previous unrelated data breaches, the OPC said.
The compromised data included highly sensitive information related to health, race and ethnicity; most of it was derived from individuals' DNA, OPC said.
The probe found that 23andMe failed to protect against unauthorized access to highly sensitive personal data and lacked effective systems to monitor, detect or respond to cyber threats targeting customers' sensitive information.
The company's response as the attack unfolded was also inadequate, the OPC said. It didn't investigate signals that a breach might be occurring, and it failed to adequately notify regulators and affected customers after the breach, as required by Canadian and U.K. law.
The company now faces a $3.1 million (£2.3 million) fine under U.K. privacy law. The OPC lacks the power to make orders or issue fines, it said.
23andMe filed for bankruptcy in the U.S. in March (see 2503240046), sparking concerns from customers about how their personal data might be shared and used in the future, OPC noted. It and the ICO contacted the trustee overseeing the proceedings to clarify legal requirements for handling the personal information of people in Canada and the U.K., it said. The company announced last week that it expects to close a sale to former CEO Anne Wojcicki in coming weeks (see 2506160045).
The regulators said they'll give the purchaser of 23andMe's data holdings a report on the findings of their investigation and won't "hesitate to take action if there is evidence that the new owner is not complying with privacy laws."