23AndMe had ‘inadequate’ security before ‘profoundly damaging’ hack: probe

Genetic data company 23AndMe had “inadequate” security systems and was “slow to respond” to warning signs that customers’ sensitive data was at risk before the “profoundly damaging” 2023 data breach, privacy officials say.

Canadian Privacy Commissioner Philippe Dufresne and U.K. Information Commissioner John Edwards released the results of their joint investigation into the breach on Tuesday.

The investigation found that of the almost seven million people impacted worldwide, nearly 320,000 Canadians and more than 150,000 people in the U.K. had their sensitive genetic information compromised by hackers.

Dufresne said Tuesday the breach serves as a “cautionary tale” for all organizations about the importance of data protection.

1:54 U.K. fines 23andMe over ‘profoundly damaging’ data breach

Dufresne added that 23andMe lacked security measures including having appropriate authentication and verification measures as part of the login process, such as multi-factor authentication and even strong minimum password requirements.

“With data breaches growing in severity and complexity and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” Dufresne said.

While Canada’s privacy commissioner does not have the power to levy fines, the U.K. information commissioner can – and in this case, is fining 23andMe a total of 2.31 million pounds.

The fine is the result of 23andMe “failing to implement appropriate security measures to protect the personal information of U.K. users,” Edwards said.

3:53 Cybersecurity expert on what the 23andMe bankruptcy means for client data

Edwards said that the October 2023 data breach exposed sensitive personal information, family histories and even health conditions.

Receive the latest medical news and health information delivered to you every Sunday.

“This was a profoundly damaging breach,” he said.

“23andMe failed to take basic steps to protect people’s information. The security systems were inadequate. The warning signs were there and the company was slow to respond. This left people’s most sensitive personal data vulnerable to exploitation and harm.”

He went on to tell reporters that his office had heard from people affected by the breach and said they felt “anxious” about what it could mean for their personal, financial and family safety.

According to Dufresne, their investigation found stolen data was also offered for sale online, putting affection individuals’ personal information “at further risk.”

2:27 Health Matters: Regeneron buying 23andMe

The company settled a lawsuit late last year that accused 23andMe of failing to protect the privacy of 6.9 million customers whose personal information was exposed in the breach. The company was ordered to pay US$30 million and provide three years of security monitoring.

In the months since the breach, the company has faced numerous issues, including seeing its value in public listings drop by more than 97 per cent and its seven independent directors resigning last September amid news the original founder was planning to take the company private once more.

The company has never made a profit and filed for bankruptcy in March, seeking to sell its business at auction after a decline in demand and the 2023 data breach.

Regeneron Pharmaceuticals last month agreed to buy the company for US$256 million, but on Monday declined to submit a new bid for the company after 23andMe co-founder Anne Wojcicki beat its offer, putting forward US$305 million from the non-profit she controls.

1:40 23andMe bankruptcy filing prompts data concern

The bid from Wojcicki is expected to close in the coming weeks after a court hearing scheduled for Tuesday, according to her non-profit TTAM Research Institute. The non-profit said it would uphold 23andMe’s existing privacy policies and comply with all applicable data protection laws.

Reporters also asked Dufresne about Wojcicki, who was CEO during the data breach, taking over once more and potentially selling data outside the company.

He said that the company has taken steps to address some of the recommendations made by his and Edwards’ offices, and had received assurances from the new buyer they would respect existing privacy policies and clauses.

“We’ve indicated in the report that we will be following this carefully, that the obligations should continue to apply to any new owner and that if there are any concerns that our citizens can reach out to us and we’ll take the appropriate steps,” Dufresne said.

He added while his office can’t levy fines, it is making recommendations to the government and working with the international community as needed. He said in “appropriate cases” he can also apply to the Federal Court to seek an order to making binding obligations on an organization.

But Edwards issued a further stern warning to 23andMe that they could face further fines and enforcement if action isn’t taken.

“These are ongoing obligations, so they’ve been drawn to the leadership’s attention that they’ve been in breach,” Edwards said. “They’ve failed to reach the standard required by U.K. law. If they don’t remedy that, they will remain in breach and could be exposed to further enforcement action.”

— with files from Reuters