Regulators’ Joint Investigation Into 23andMe Data Breach Released

On June 17, 2025, the Privacy Commissioner of Canada and the United Kingdom' Information Commissioner (collectively, the Commissioners) released the findings of their joint investigation into the October 2023 global data breach at 23andMe, a genetic testing company. The investigation found that 23andMe failed to implement sufficient security measures to protect the personal information of its customers, including nearly 320,000 Canadians.

The investigation found several deficiencies in safeguards that contributed to the breach:

• Issues with Breach Prevention: 23andMe did not mandate multi-factor authentication; meet industry standards for minimum password requirements; perform adequate checks for compromised passwords; or require additional customer verification prior to granting access to highly sensitive personal information, including raw DNA data.
• Issues with Breach Detection: 23andMe’s detection mechanisms did not provide clear signals for attempted or successful unauthorized access to customer accounts; did not sufficiently monitor customer account activity to recognize anomalies indicative of unauthorized access; and missed opportunities to identify and prevent, or interrupt an attack.
• Issues with Breach Response: 23andMe failed to implement mitigation measures in a timely manner and its lack of established protocols for responding to cyberattacks may have contributed to the delayed response.

Due to the highly sensitive nature of the compromised information and the high probability of its misuse, this breach created a real risk of harm to the individuals affected and met the breach reporting thresholds under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the UK’s General Data Protection Regulation (UK GDPR). The Commissioners concluded that 23andMe’s breach reports to their offices were not made in accordance with PIPEDA and the UK GDPR because they failed to include complete details about the personal information likely involved in the breach, namely raw DNA data. In certain instances, 23andMe’s notification to affected individuals was also not in accordance with PIPEDA and the UK GDPR because they failed to provide relevant information that was known at the time of notification, such as the details of the personal information likely involved in the breach and the fact that some breached information had been posted for sale online.

A full summary of the results of the joint investigation can be found here.

Summary By: Amy Ariganello