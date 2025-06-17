Markets

23andMe Faulted For Lax Security In 'Profoundly Damaging' 2023 Data Breach

June 17, 2025 — 05:55 pm EDT

(RTTNews) - Canadian and U.K. privacy watchdogs have sharply criticized genetic testing firm 23andMe for substandard security measures and a sluggish response that exposed nearly seven million users' sensitive information in October 2023.

Their joint probe found 23andMe lacked essential protections such as multi-factor authentication and robust password requirements leaving 320,000 Canadians and 155,000 Britons vulnerable when hackers leveraged recycled credentials to infiltrate accounts.

Canada's Privacy Commissioner Philippe Dufresne decried the breach as a "cautionary tale" about prioritizing data protection amid rising cyber threats. In the U.K., Information Commissioner John Edwards slapped 23andMe with a £2.31 million fine, condemning the company's failure to implement "basic" safeguards for special-category genetic data and its "slow" reaction to early warning signs.

Although raw DNA sequences remained intact, the attackers accessed personal details birth years, locations, family trees, health reports and subsequently offered them for sale online. Last year, 23andMe settled a class-action suit, agreeing to a $30 million payment and three years of credit monitoring for affected customers.

Now in bankruptcy proceedings, 23andMe's assets will transfer to TTAM Research Institute under a $305 million deal, outbidding Regeneron. TTAM has pledged legally binding enhancements to data security and a commitment to existing privacy policies.

Regulators warned that any lapse under new ownership could trigger further enforcement, emphasizing that once genetic information is exposed, it cannot be undone.

