[
DNA testing company 23andMe didn’t have adequate data protections and ignored warning signs ahead of a massive data breach almost two years ago, an investigation by Canada’s privacy commissioner found.
Commissioner Philippe Dufresne told reporters that proper protections were not in place in 2023 when hackers gained access to roughly 6.9 million profiles on the site — nearly half its client base.
“The breach serves as a cautionary tale for all organizations about the importance of data protections,” Dufrense said during a news conference on Tuesday.
“With data breaches growing in severity and complexity — and ransomware and malware attacks rising sharply — any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable.”
Customer profiles contained delicate personal data including birth year, geographic location, health information and the percentage of DNA users share with their relatives. Dufresne said some of the stolen info was later being sold online.
The investigation was launched last year in conjunction with U.K. information commissioner John Edwards.
“23andMe failed to take basic steps to protect people’s information, their security systems were inadequate, the warning signs were there and the company was slow to respond,” Edwards told reporters on Tuesday.
Like other genetic testing businesses, 23andMe uses saliva samples to generate reports about a customer’s ancestry as well as potential predispositions to certain health conditions.