Canada

23andMe ‘failed to take basic steps’ to protect private information, investigation finds

The DNA testing company 23andMe has come under scrutiny after a recent investigation by Canada’s privacy commissioner revealed that the company did not have adequate data protections in place leading up to a massive data breach that occurred almost two years ago. Commissioner Philippe Dufresne disclosed that in 2023, hackers were able to access approximately 6.9 million profiles on the site, which accounts for nearly half of the company’s client base.

During a news conference, Dufresne emphasized the importance of data protection measures for all organizations in light of the increasing severity and complexity of data breaches, ransomware attacks, and malware threats. The stolen customer profiles contained sensitive personal information such as birth year, geographic location, health data, and the percentage of DNA shared with relatives. Some of this stolen information was later discovered being sold online.

The investigation was conducted in collaboration with U.K. Information Commissioner John Edwards, who criticized 23andMe for failing to implement basic security measures, having inadequate security systems, and being slow to respond to warning signs. Like other genetic testing companies, 23andMe uses saliva samples to provide customers with reports on their ancestry and potential predispositions to certain health conditions.

The breach impacted nearly 320,000 Canadians and 150,000 individuals in the U.K., leading to a $4.2 million fine imposed by the U.K. on the San Francisco-based company. However, Dufresne noted that he lacks the authority to levy monetary penalties in Canada. While legal changes have been proposed in the past to grant the privacy commissioner this power, they have yet to be enacted.

See also  Hamilton clergy in Rome mourn death of Pope Francis and say 'we must carry forward' his legacy

Despite filing for bankruptcy earlier this year and announcing the sale of its assets, 23andMe assured customers that the bankruptcy process would not affect the storage, management, or protection of their data. Dufresne and Edwards expressed their expectation that any new owner of the company would continue to uphold privacy obligations and safeguard user data.

As the situation unfolds, Dufresne emphasized the importance of closely monitoring the handling of customer data during any potential sale of 23andMe. He hopes that the Canadian Parliament will revisit proposed changes to grant the privacy commissioner the authority to impose fines on companies for data breaches in the future.

Related Articles

Leave a Reply

Back to top button