23andMe 'failed to take basic steps' to protect private information, investigation finds

Darren Major · CBC News

· Posted: Jun 17, 2025 10:31 AM EDT | Last Updated: 1 hr ago

DNA investigating institution 23andMe didn't person capable information protections and ignored informing signs up of a monolithic information breach astir 2 years ago, an probe by Canada's privateness commissioner found.

Commissioner Philippe Dufresne told reporters that due protections were not successful spot successful 2023 erstwhile hackers gained entree to astir 6.9 cardinal profiles connected the tract — astir fractional its lawsuit base.

"The breach serves arsenic a cautionary communicative for each organizations astir the value of information protections," Dufresne said during a quality league connected Tuesday.

"With information breaches increasing successful severity and complexity — and ransomware and malware attacks rising sharply — immoderate enactment that is not taking steps to prioritize information extortion and code these threats is progressively vulnerable."

Customer profiles contained delicate idiosyncratic data, including commencement year, geographic location, wellness accusation and the percent of DNA users stock with their relatives. Dufresne said immoderate of the stolen info was aboriginal being sold online.

The probe was launched past twelvemonth successful conjunction with U.K. accusation commissioner John Edwards.

"23andMe failed to instrumentality basal steps to support people's information, their information systems were inadequate, the informing signs were determination and the institution was dilatory to respond," Edwards said.

Like different familial investigating businesses, 23andMe uses saliva samples to make reports astir a customer's ancestry arsenic good arsenic imaginable predispositions to definite wellness conditions.

WATCH | UK Information Commissioner John Edwards slaps 23andMe with fine: 

Nearly 320,000 Canadians and 150,000 radical successful the U.K. were impacted by the 2023 breach, the commissioners said.

Edwards said that the U.K. has slapped the San Francisco-based institution with a $4.2-million good implicit the information breach, but Dufrense said helium doesn't person the powerfulness to deed the institution with monetary penalties.

"[The authorization to good companies] is thing that exists broadly astir the satellite successful privateness authorities and it is thing that is necessary. Unfortunately, Canadian privateness instrumentality does not yet supply this to me," Dufrense said.

Legal changes person been projected successful the past that would springiness the privateness commissioner the authorization to levy fines, but person ne'er been enacted. Dufrense said helium hopes the caller Parliament volition suggest changes again soon.

WATCH | Canada's privateness commissioner says his bureau should beryllium capable to enforce fines: 

23andMe filed for bankruptcy earlier this twelvemonth and announced that it would beryllium selling disconnected its assets — meaning customers' information could beryllium "accessed, sold oregon transferred." However, the institution said the bankruptcy process volition not impact however it stores, manages oregon protects lawsuit data.

Dufresne and Edwards said they expect the institution to adequately support idiosyncratic information during immoderate sale.

"We volition beryllium pursuing this cautiously … the [privacy] obligations should proceed to use to immoderate caller owner," Dufresne said.