A 23andMe booth at a genealogical event. The report estimated that seven million customers were affected, including about 320,000 Canadians and 150,000 U.K. residents.George Frey/Reuters
Consumer genetic-testing giant 23andMe did not take appropriate safety precautions to protect its customers’ data, according to privacy commissioners in Canada and Britain.
The joint investigation, from Canadian Privacy Commissioner Philippe Dufresne and U.K. Information Commissioner John Edwards, released Tuesday, found millions of customers’ sensitive information was lost in a 2023 hack and the company did not have adequate safeguards to protect against cyber threats.
Those deficits included not having mandatory multi-factor authentication or appropriate controls for accessing raw genetic data.
“Unlike usernames, passwords and e-mail addresses, you can’t change your genetic makeup when a data breach occurs,” one consumer told the commissioners, according to their report.
Privacy commissioner Philippe Dufresne says inadequate security measures opened the door to a data breach discovered two years ago at genetic testing company 23andMe.
The Canadian Press
The investigation found that between April and September of 2023, a hacker used login credentials obtained from other data breaches to enter 23andMe’s platform and take personal information, including birth years, postal codes, race, family trees and health reports.
The report estimated that seven million customers were affected, including about 320,000 Canadians and 150,000 U.K. residents.
Opinion: The ills of Signal and 23andMe offer chilling lessons about our digital data
The commissioners found that 23andMe made adequate improvements to its security by the end of 2024.
The U.K. Information Commissioner’s Office levied a fine of £2.31-million ($4.24-million) against 23andMe. Mr. Dufresne said his Canadian office did not have the power to levy a fine.
Mr. Dufresne also said the joint investigation was a good example of how regulators in different countries can work together to push back against globe-spanning companies, such as 23andMe.
The report comes at a difficult time for the company. It filed for bankruptcy in March valued at less than US$500-million, just four years after being valued at US$6-billion on the stock market.
The company’s revenue had sagged because of business model problems. Customers often took just one genetic test and didn’t buy more products – and lost confidence from the 2023 privacy breach.
In searching for new revenue streams, 23andMe licensed what it says are de-identified versions of the data to pharmaceutical companies, including British pharma giant GSK PLC, to aid in research for new drugs.
Opinion: 23andMe was a disaster waiting to happen. What did anyone expect?
The breach also led to multiple class-action lawsuits. A U.S. case was settled last year for $30-million, while a Canadian suit is still pending but has been stayed temporarily during the U.S. insolvency proceedings.
The bankruptcy has raised concerns that sensitive customer information would be put up for sale. A bipartisan group of U.S. attorneys-general, led by Oklahoma, sued Monday to block 23andMe from selling customer data without their consent.
Drugmaker Regeneron Pharmaceuticals offered US$256-million for the DNA-testing company, but was outbid by TTAM Research Institute, a non-profit led by former chief executive officer Anne Wojcicki, which bid US$305-million.
23andMe spokesperson Ann Sommerlath said TTAM has made “several binding commitments” to enhance consumer data protection, such as allowing individuals to delete their accounts and opt out of research uses of their data as well as “agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control to any entity that does not adopt TTAM’s policies and comply with all laws.”
With reports from Reuters