23andMe 'failed to take basic steps' to protect private information, investigation finds

DNA testing company 23andMe didn't have adequate data protections and ignored warning signs ahead of a massive data breach almost two years ago, an investigation by Canada's privacy commissioner found.
Commissioner Philippe Dufresne told reporters that proper protections were not in place in 2023 when hackers gained access to roughly 6.9 million profiles on the site — nearly half its client base.
"The breach serves as a cautionary tale for all organizations about the importance of data protections," Dufresne said during a news conference on Tuesday.
"With data breaches growing in severity and complexity — and ransomware and malware attacks rising sharply — any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable."
Customer profiles contained delicate personal data, including birth year, geographic location, health information and the percentage of DNA users share with their relatives. Dufresne said some of the stolen info was later being sold online.
The investigation was launched last year in conjunction with U.K. information commissioner John Edwards.
"23andMe failed to take basic steps to protect people's information, their security systems were inadequate, the warning signs were there and the company was slow to respond," Edwards said.
Like other genetic testing businesses, 23andMe uses saliva samples to generate reports about a customer's ancestry as well as potential predispositions to certain health conditions.
WATCH | U.K. commissioner fines 23andMe:
Nearly 320,000 Canadians and 150,000 people in the U.K. were impacted by the 2023 breach, the commissioners said.
Edwards said that the U.K. has slapped the San Francisco-based company with a $4.2-million fine over the data breach, but Dufrense said he doesn't have the power to hit the company with monetary penalties.
"[The authority to fine companies] is something that exists broadly around the world in privacy authorities and it is something that is necessary. Unfortunately, Canadian privacy law does not yet provide this to me," Dufrense said.
Legal changes have been proposed in the past that would give the privacy commissioner the authority to levy fines, but have never been enacted. Dufrense said he hopes the new Parliament will propose changes again soon.
WATCH | Canada's privacy commissioner says his office should be able to impose fines:
23andMe filed for bankruptcy earlier this year and announced that it would be selling off its assets — meaning customers' data could be "accessed, sold or transferred." However, the company said the bankruptcy process will not affect how it stores, manages or protects customer data.
Dufresne and Edwards said they expect the company to adequately protect user data during any sale.
"We will be following this carefully … the [privacy] obligations should continue to apply to any new owner," Dufresne said.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

17 minutes ago

Suicide bomber strikes Syrian church near Damascus during mass

DAMASCUS, Syria -- A suicide bomber in Syria on Sunday detonated himself inside a church filled with people, state television and a war monitor said. The explosion in Dweil'a in the outskirts of Damascus took place as people were praying inside the Mar Elias Church. Britain-based war monitor the Syrian Observatory for Human Rights says there were 30 people wounded and killed, but the exact numbers are unclear. Some local media reported that children were among the casualties. The attack was the first of its kind in Syria in years, and comes as Damascus under its de facto Islamist rule is trying to win the support of minorities. As President Ahmad al-Sharaa struggles to exert authority across the country, there have been concerns about the presence of sleeper cells of extremist groups in the war-torn country. Security forces and first-responders rushed to the church. An eye witness said in a video widely circulated online that the attacker came in and started to shoot at the people there before detonating an explosive vest he was wearing.

CBS News

an hour ago

• CBS News

Giants pitcher Sean Hjelle accused of abuse by wife, MLB investigating

The San Francisco Giants said Major League Baseball is looking into allegations of abuse made by the wife of reliever Sean Hjelle. Caroline Hjelle made a post on TikTok on Friday of her with the couple's two children with a caption that said: "When my MLB husband abandons us on Mothers Day a week after this (video was taken) once I finally found about his affairs and stopped putting up with his abuse, so I've been raising two boys alone." Hjelle said after Saturday's game that he had no comment on the allegations, adding that he and his wife are in the process of finalizing their divorce. "I feel confident in saying that I will have one eventually," he said. "I don't have an exact timeline on that. But I would like to actually meet with the people that are handling the situation with me and for me before I actually make an official statement." The Giants said in a statement Saturday that they are "aware of these serious allegations" and that MLB is handling it. Manager Bob Melvin said before Saturday's game against the Boston Red Sox that Hjelle would be available to pitch. "Obviously we're aware of it," Melvin said. "He told me about it last night. We talked to MLB. At this point, it's in their jurisdiction right now so I really can't comment on it further." Hjelle took the loss in Friday night's game against the Red Sox, allowing a tiebreaking homer to Ceddanne Rafaela in the sixth inning. Hjelle is 1-1 with a 4.66 ERA in six appearances this season. ___ AP MLB:

The Hill

an hour ago

• The Hill

Iran accused of abducting journalist's family in retaliation for war coverage

DUBAI, United Arab Emirates (AP) — Iran detained the family members of an Iran International journalist Saturday in retaliation for the channel's coverage of the country's war with Israel, threatening to hold them until the journalist resigned from her position. The London-based Farsi news channel said in a statement that it strongly condemns the abduction of its journalist's family, calling it 'an appalling act of hostage-taking aimed at coercing our colleague into resigning from their post.' 'This deeply reprehensible tactic marks a dangerous escalation in the regime's ruthless campaign to silence dissent and suppress independent journalism,' the news channel said. The detainment marks the latest example of Iran's longstanding effort to crack down not only on Iranian journalists inside the country but also those abroad who still have family and friends living in Iran. The Islamic Republic is one of the world's top jailer of journalists, according to the Committee to Protect Journalists, and in the best of times, reporters face strict restrictions. The broadcaster said that Iran's paramilitary Revolutionary Guards took the presenter's mother, father and younger brother to an unidentified location. The journalist, whose name the outlet did not disclose, then received a phone call from her father early Saturday, urging her to resign from her role, according to Iran International. The voices of security agents could be heard in the background telling her father what to say. 'I've told you a thousand times to resign. What other consequences do you expect?' Iran International said her father told her. 'You have to resign.' Farsi-language broadcasters like Iran International and BBC Persia have long been targets for the Islamic Republic, given the fact that they broadcast in the native language and many Iranians, both domestically and abroad, rely on them for news, especially of the most recent Iran-Israel war amid an official internet blackout. Iran International in particular has become a target of Tehran in recent years over its programming that is critical of the theocratic government in Tehran. The Iranian government has called the news outlet a terrorist organization. One of its journalists was stabbed in 2024 in an attack suspected to have been carried out by Iran, while men were arrested in a suspected plot to target others at the channel.