OTTAWA — Inadequate security measures opened the door to a data breach discovered two years ago at genetic testing company 23andMe, Canada's privacy watchdog says.
Privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards released the findings from their joint investigation of the breach, which affected almost seven million people, including nearly 320,000 in Canada.
Dufresne told a news conference Tuesday the breach is a cautionary tale for all organizations about the importance of data protection in an era of growing cyberthreats.
"It is particularly relevant at a time when more and more personal information is being collected, used and shared in a growing digital economy," he said.
23andMe, which filed for bankruptcy in March, sells testing kits that use a customer's saliva sample to uncover genetic information through DNA analysis.
Dufresne said the compromised data included highly sensitive information related to health, race and ethnicity, as well as details about relatives, date of birth, sex at birth and gender.
"We were also concerned to find that the stolen data was later offered for sale online, putting the personal information of affected individuals at further risk," he said.
Dufresne and Edwards announced last May they would look into the data breach's scope, the company's data handling safeguards and whether it adequately notified regulators and affected individuals about the lapse.
The investigation found the hacker used stolen log-in details — usernames or email addresses and passwords — from other websites affected by previous breaches and then entered those credentials into 23andMe’s log-in page until they found matches.
Beginning on April 29, 2023, and over the course of five months, the hacker was able to obtain access to the accounts of more than 18,000 customers, according to a summary of the investigation's findings.
Customers could opt into a feature that allowed them to share information with genetic relatives. If this feature was activated, personal information accessible to the hacker could also include the data of thousands of other individuals to whom the owner of the compromised account was genetically linked — meaning the information of millions of customers was ultimately exposed.
The investigation found 23andMe "did not develop appropriate safeguards" to prevent the attack, the summary says. The deficiencies included:
— a lack of mandatory multi-factor authentication, which requires a user to enter more information than just a password;
— inadequate minimum password complexity requirements;
— a lack of robust checks to see if customers were reusing credentials that had been compromised in previous data breaches;
— and no additional protections to protect the most sensitive personal information, including raw DNA data, from being accessed and downloaded from an account.
The investigation also found 23andMe’s detection mechanisms failed to alert the company to clear signals that a hacker was attempting to gain, and had obtained, unauthorized access to large numbers of customer accounts.
Despite the urgency of the situation — and 23andMe being aware of the credential-based attack when it was potentially ongoing — it took the company four days to disable all active user sessions and implement a password reset for all customers, the summary says.
It also took 23andMe approximately one month to disable the self-service raw DNA download feature and implement mandatory multi-factor authentication, the investigation found.
This report by The Canadian Press was first published June 17, 2025.
Jim Bronskill, The Canadian Press
