Canadian and British privacy watchdogs have blasted DNA testing firm 23andMe for failing to implement basic cybersecurity measures before a massive 2023 data breach compromised the personal data of nearly 6.9 million users—almost half its global clientele.
An investigation by Canada’s Privacy Commissioner Philippe Dufresne and the U.K.’s Information Commissioner John Edwards concluded that 23andMe ignored clear warning signs and failed to secure sensitive information such as users’ birth years, geographic locations, health details, and DNA match data.
“This breach serves as a cautionary tale for all organizations about the importance of data protections,” Dufresne said during a joint press conference in Ottawa. Edwards echoed this, saying, “23andMe failed to take basic steps to protect people’s information… and the company was slow to respond.”
The breach affected nearly 320,000 Canadians and 150,000 U.K. residents. As a result, the U.K. has imposed a £2.31 million ($4.2 million CAD) fine on the now-bankrupt U.S.-based company. However, Canada’s privacy laws currently prevent Dufresne from issuing similar financial penalties—an authority he is urging Parliament to grant.
Meanwhile, 23andMe has filed for bankruptcy and is in the process of selling off its assets. Though the company claims that customer data protections will remain intact, both Dufresne and Edwards warned they will monitor any transfer of data closely to ensure continued privacy obligations are upheld.
Swifteradio.com
