Genetic testing firm 23andMe faces large fine for failing to protect customer data

Privacy Commissioner of Canada Philippe Dufresne leaves after a news conference at the National Press Theatre in Ottawa on Thursday, Feb. 29, 2024. (THE CANADIAN PRESS/Justin Tang)
Genetic testing company 23andMe failed to take basic steps to protect customer data, according to a joint investigation by Canada and the U.K. into a massive global data breach that resulted in information from nearly seven million people being posted for sale online.
As a result, the U.K. is imposing a £2.31 million (C$4.24 million) fine on the company. Canada does not have the power to impose a similar penalty under current privacy laws.
Canada's privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards revealed their findings at a news conference in Ottawa on Tuesday morning.
'With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,' Dufresne said on Tuesday. 'Our investigation found that these types of security measures were not in place at 23andMe.'
In September, 23andMe agreed to pay US$30 million to settle a lawsuit after hackers accessed the personal data of 6.9 million customers and posted their information for sale on the dark web, including data from nearly 320,000 people in Canada and more than 150,000 people in the U.K. The 2023 attack appeared to specifically target customers with Chinese and Ashkenazi Jewish ancestry.
'The compromised data included highly sensitive information related to health, race and ethnicity information as well as information about relatives, date of birth, sex at birth and gender,' Dufresne explained. 'Much of this information was derived from individuals' DNA. The breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyber threats.'
The joint investigation by privacy authorities in Canada and the U.K. was launched in June 2024 to examine the scope of the breach and 23andMe's response.
'In the wrong hands, an individual's genetic information could be misused for surveillance or discrimination,' Dufresne said in a news release when the investigation was announced. 'Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.'
23andMe filed for bankruptcy in March. On June 13, it was announced that a non-profit led by 23andMe co-founder Anne Wojcicki would purchase the troubled company for US$305 million.
Founded in 2006, 23andMe claims to have more than 15 million customers worldwide. The business was centred on at-home DNA testing kits that use saliva samples to provide genetic insights about health risks and ancestry. The California-based company went public in 2021, but never made a profit.
'23AndMe failed to take basic steps to protect people's information,' Edwards said at the press conference on Tuesday. 'Their security systems were inadequate, the warning signs were there and the company was slow to respond. This left people's most sensitive personal data vulnerable to exploitation and harm.'
The investigation also found that 23andMe did not adequately notify regulators and affected customers of the breach as required by Canadian and U.K. laws. Dufresne said they were concerned to find the stolen data was later offered for sale online.
'Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information,' Dufresne said. 'Organizations must also take proactive steps to protect against cyberattacks. This includes using multi-factor authentication, strong minimum password requirements, compromised password checks, and adequate monitoring to detect abnormal activity.'
Dufresne also called for modernized privacy laws in Canada that would allow him to issue fines and orders like his counterpart in the U.K.
'This is something that exists broadly around the world in privacy authorities and it is something that is necessary,' Dufresne said. 'You can see in a case like this in terms of cybersecurity, in terms of things where time is of the essence, where there are real consequence, this is a gap.'
In a statement to CTV News, a 23andMe spokesperson said by the end of 2024 the company 'had implemented multiple steps to increase security to protect individual accounts and information.' 23andMe's new owner, they added, has 'made several binding commitments to enhance protections for customer data and privacy,' including allowing users to delete their accounts and opt out of having their information used for research.
23andMe saliva collection kit
A 23andMe saliva collection kit is shown on March 25, 2025, in Oakland, Calif. (AP Photo/Barbara Ortutay)
With files from Reuters and CNN

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

CTV News

38 minutes ago

• CTV News

Double homicide in Manitoba cottage community

Winnipeg Watch A manhunt is underway following a double homicide in Victora Beach. Jeff Keele has more.

CTV News

38 minutes ago

• CTV News

Pickleball facility taking over former Cambridge Peavey Mart

A new indoor pickleball facility is set to take over the former Peavey Mart in Cambridge. Pickleplex Social Club is bringing a state-of-the-art indoor pickleball facility to the Galt location. The property's real estate agent said it is the perfect fit for the building at 75 Dundas St N. 'A lot of the natural tenants that would go into that location are already in that plaza, which made it a little more complicated. There were some other challenges with the building, so something like Pickleplex really was a good fit for the building,' said Fraser Vrenjak, senior vice president of Cushman & Wakefield Waterloo Region. Peavey Mart closed in January, due to ongoing financial struggles. Vrenjak said as many large retailers are struggling, recreational companies are trying to seize the opportunity. 'To this day, landlords aren't fully on board with all these recreational users just yet. There's still a little hesitation. they'd rather see a Sobeys grocery store or a sports check. They've been around for a while, and you know they're going to be there for the future, but they are definitely becoming more flexible with these uses,' Vrenjak said. 'We're using the space now for something that was, you know, maybe tough to fill in retail the way retail is going and utilizing for something like, active, healthy lifestyle,' said Owen Smith, co-founder of Pickleplex. Smith said Pickleplex will host lessons and tournaments while focusing on the quickly growing sport, but also pairs it with a social element. 'The way that we built every site and location is to have a social area for a common place for people to sit, lounge, sit on bar stools, watch their friends play,' said Smith. 'We want everyone to come and get to know each other, make new friends, keep that friendship both on the court and off the court. Pickleplex is set to open four additional locations in Ontario this year. The Cambridge location is expected to open its doors this fall. Pickleball has been growing in popularity in Cambridge. Four Fathers Brewing launched its Pickleball Society just over a year ago. 'Pickleball is such an accessible sport. People of all ages, and skill levels can pick up a paddle and have fun immediately,' Mike Hurdin, co-owner of Four Fathers Brewing said. 'To many, it's a social life. So people become friends, they stay active, and they feel more connected to the community by doing that.'

CTV News

41 minutes ago

• CTV News

Man suffers broken nose during arrest; ASIRT investigating

EDMONTON — An Edmonton police officer is being investigated for allegedly breaking a man's nose during an arrest last month. The Alberta Serious Incident Response Team (ASIRT) says the officer saw two men involved in a dispute over a broken window in the area of 97 Street and 103A Avenue at approximately 8:35 a.m. on Nov. 26. While the officer arrested the first man, the other one, a 38-year-old man, intervened and a struggle ensued, ASIRT said. The police officer used his baton and the 38-year-old man's nose was broken during the arrest. The man was taken to hospital, where he was also treated for a bruised face, ribs and left shoulder, ASIRT said. He also has a chipped tooth. ASIRT is investigating the arrest.