Global scrutiny of data protection and security standards at genetic testing company 23andMe is growing following results of a joint probe by the Office of the Privacy Commissioner of Canada and the U.K. Information Commissioner's Office. The company faces a 2.31 million GBP fine from the ICO for insufficient data security measures that led to a 2023 data breach impacting 6.9 million customers globally, including those in Canada and the U.K.
Specific to its data security claims, the OPC and the ICO alleged 23andMe "did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information." Additionally, the enforcers claimed the company had "inadequate" incident response, noting it "failed to properly investigate signals that a breach may be occurring, including a credible claim that customer data had been stolen."
"People affected by this breach told us that they felt anxious about what it could mean to their personal, financial and family safety," U.K. Information Commissioner John Edwards said during a joint press conference with Privacy Commissioner of Canada Philippe Dufresne. "As one of those impacted told us, unlike usernames, passwords and email addresses, you can't change your genetic makeup when a data breach occurs."
The ICO indicated the data breach potentially involved "names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports." Approximately 320,000 Canadians and 155,592 U.K. residents were involved in the breach, according to the regulators.
Dufresne said the impacts of the breach extended beyond the initial access. The investigation, which the OPC initiated in 2024, found hackers took stolen data and put it for sale online, risking further exploitation.
"Strong data protection must be a priority for organizations, especially those that are holding sensitive data," Dufresne said. "Organizations must take proactive steps against cyberattacks. This includes using multi-factor authentication, strong minimum password requirements, compromised password checks and adequate monitoring to detect abnormal activity with data breaches growing in severity and complexity."
According to Dufresne, the investigation is another example of the OPC "leveraging international collaboration" as a tool to combat its lighter regulatory powers. He said his office seeks to "maximize" its impact while unable to issue fines or direct binding obligations — it can petition for court-ordered remedies — under the Personal Information Protection and Electronic Documents Act.
The enforcement work comes as 23andMe is wrapped up in U.S. bankruptcy proceedings, leaving many questions around the future security of the company's vast biometric database. Since the bankruptcy announcement, customers were given a data deletion option and 23andMe committed to ensuring a final sale partner would adopt the company's existing privacy notice and practices.
Nonprofit TTAM Research Institute, led by former 23andMe co-founder and CEO Anne Wojcicki, has a USD305 million offer out to purchase the genetic testing company. Wojcicki was in her role at 23andMe during the 2023 breach, but the OPC and ICO are confident company commitments stemming from enforcement will hold through the sale.
"We've indicated in our report that we will be following this carefully," Dufresne said. "The obligations should continue to apply to any new owner, and if there are any concerns, our citizens can reach out to us and we will take appropriate steps."
In addition to investigation reports, the two regulators clarified legal requirements for the handling of personal information in their jurisdictions in filings to the trustee overseeing bankruptcy proceedings. The OPC added it will "provide the purchaser of 23andMe's data holdings with the report of findings from their joint investigation to ensure that they are aware of their legal privacy obligations."
Joe Duball is the news editor for the IAPP.
