DNA Testing Firm 23AndMe Fined More Than $4 Million Following Data Breach Probe
MSHPWOZWGHKOSYYUHCW5DNCPI4.jpg
DNA testing firm 23andMe has been fined more than $4 million following a joint investigation carried out by Canada and UK privacy officials, who found the company failed to ensure sufficient security measures were in place to protect customers' personal information, leading to a major data breach in 2023.
The joint investigation was conducted by the Office of the Privacy Commissioner of Canada (OPC) and the United Kingdom Information Commissioner's Office (ICO) after a cyber attack affected nearly 7 million 23andMe customers worldwide, including almost 320,000 Canadians and 155,600 people in the UK.
"We decided to launch this joint investigation in light of the international impact of the breach and the highly sensitive nature of the personal information involved," Canada's Privacy Commissioner Philippe Dufresne said at a joint press conference with the UK information commissioner in Ottawa on June 17.
The investigation found that a hacker targeted 23andMe's platform using a "lengthy credential-stuffing attack"—a cyberattack method in which attackers use lists of compromised user credentials to breach into a system.
The attack allowed the hacker to access and download personal information directly from thousands of customers' accounts on the platform between April 2023 and September 2023, due to a lack of adequate security to protect against unauthorized access to sensitive customer information, Dufresne said.
The compromised data included "highly sensitive" information related to customers' health, race and ethnicity, geographic location, information about relatives, date of birth, and gender. The investigation also found that the stolen data was offered for sale online.
Dufresne said that the incident serves as a "cautionary tale" to all organizations about the importance of protecting customers' data at a time when more personal information is being collected online amid increased risk for cyber attacks and data breaches that are "growing in severity and complexity."
"Organizations must also take proactive steps to protect against cyber attacks," Dufresne added. "This includes using multi-factor authentication, strong, minimum password requirements, compromised password checks and adequate monitoring to detect abnormal activity, with data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply."
The investigation found 23andMe did not have these protective measures in place.
'You Can't Change Your Genetic Makeup'
UK Information Commissioner John Edwards said at the press conference that the UK government has issued 23andMe a fine of 2.31 million pounds (CA$4.24 million) for failing to implement the appropriate security measures needed to protect the personal information of UK customers, adding that while the warning signs of the data breach were there, the company was "slow to respond."
"People affected by this breach told us that they felt anxious about what it could mean to their personal, financial and family safety. As one of those impacted told us, unlike usernames, passwords and email addresses, you can't change your genetic makeup when a data breach occurs," Edwards said.
Dufresne said that Canadian privacy law does not allow the country's privacy commissioner to issue fines and orders, which he said he has been advocating to change.
The investigation found that the company lacked protocols for responding to a data breach, and that it took four days for 23andMe to disable active user sessions and enforce a password reset for all customers following the cyber attack. In addition, the company took one month to disable the affected features and implement multi-factor authentication.
The joint investigation also found that 23andMe did not adequately notify the OPC, ICO, and the affected customers about the breach by including complete information about the personal data that was affected, and delayed in notifying both the offices and the affected individuals.
23andMe filed for bankruptcy in March. The company has entered into an agreement for the sale of the company's assets with TTAM Research Institute, an organization led by 23andMe's co-founder and former CEO Anne Wojcicki, the company said in a June 13 news release.
Dufresne was asked by reporters whether he had any concerns about Wojcicki being the CEO at the time of the data breach.
"In this investigation, the organization has taken steps to address some of our recommendations, and so as a result, we have found that this was substantiated but resolved in terms of the measures taken in terms of the purchasing process," Dufresne responded.
A 23andMe spokesperson told The Epoch Times in an emailed statement that "by the end of 2024, 23andMe had implemented multiple steps to increase security to protect individual accounts and information."
"As part of its agreement to acquire 23andMe, TTAM Research Institute made several binding commitments to enhance protections for customer data and privacy," the company said.
Some of those commitments included agreeing to not sell or transfer genetic data under a subsequent bankruptcy; establishing a Consumer Privacy Advisory Board within 90 days of the closing; implementing privacy procedures, notifying customers of material changes, mitigating data breaches, and preparing annual reports to be made available to Attorneys General upon request; and offering customers two years of free identity theft monitoring.