Privacy Commissioner Philippe Dufresne has urged organizations to focus on data and privacy protection after the 23andMe breach, which impacted seven million customers worldwide – almost 320,000 of which were Canadians.
The Office of the Privacy Commissioner of Canada conducted a joint investigation with the United Kingdom Information Commissioner’s Office (ICO), which revealed that 23andMe did not have appropriate controls to shield against unauthorized access to highly sensitive personal data. It also did not implement systems to track, identify, or respond to cyberthreats.
23andMe’s platform was hacked between April and September 2023, with the hacker utilizing reused login credentials taken in past unrelated data breaches. Information stolen includes health, race and ethnicity, relatives, date of birth, sex at birth, and gender – most of the data was obtained from customer DNA.
The company ignored signs of a breach, including a claim that customer information had been stolen. It also failed to inform regulators and affected customers after the incident, violating Canadian and UK laws.
Thus, 23andMe could be slapped with a £2.31 million fine under UK privacy law. Dufresne called for modernized laws in Canada as he lacks power to issue orders or penalties under current federal privacy law.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” UK Information Commissioner John Edwards said in a statement. “As one of those impacted told us: ‘once this information is out there, it cannot be changed or reissued like a password or credit card number.’ 23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
The OPC advised organizations to implement multi-factor authentication, strong minimum password requirements, compromised password checks and adequate tracking to identify abnormal activity. Canadians impacted by the breach should also create new passwords, avoid reusing old passwords, enable multifactor authentication, and track unusual activity in their accounts. They should also be mindful of phishing scams referencing personal information.
“Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” Dufresne said.
23andMe has since filed for Chapter 11 bankruptcy in the US. The OPC and ICO have reached out to the trustee overseeing the proceedings to clarify how the personal information of Canadian and UK citizens should be handled.
The regulators will share the investigation’s findings with the buyer of 23andMe’s data holdings. The OPC and ICO said they would act if the buyer failed to comply with privacy law.