The consumer genetic-testing giant 23andMe failed to adequately protect its customers’ sensitive data, leading to a significant data breach in 2023, according to a joint investigation by privacy watchdogs in Canada and the United Kingdom.
Why it matters: The breach exposed the personal information of millions of 23andMe customers, including birth years, postal codes, race, family trees, and health reports, highlighting the importance of robust data security measures for companies handling sensitive genetic data.
The details:
- Between April and September 2023, a hacker accessed 23andMe’s platform using login credentials obtained from other data breaches, compromising the data of seven million customers, including approximately 320,000 Canadians and 150,000 U.K. residents.
- The investigation revealed significant security deficits at 23andMe, such as the lack of mandatory multi-factor authentication and insufficient controls for accessing raw genetic data.
- The U.K. Information Commissioner’s Office imposed a £2.31-million ($4.24-million) fine on the company, while the Canadian Privacy Commissioner’s Office lacked the authority to levy a similar fine.
- The breach triggered multiple class-action lawsuits and contributed to the company’s declining valuation, which plummeted from US$6-billion to less than US$500-million.
What they’re saying:
- “Unlike usernames, passwords, and e-mail addresses, you can’t change your genetic makeup when a data breach occurs,” a consumer noted in the report.
- Canadian Privacy Commissioner Philippe Dufresne praised the joint investigation as an effective example of international regulatory collaboration.
- 23andMe spokesperson Ann Sommerlath stated that TTAM, the non-profit that acquired 23andMe, has made “several binding commitments” to enhance consumer data protection.
The background: 23andMe struggled due to a flawed business model and diminished consumer trust following the data breach. In an effort to generate new revenue, the company licensed de-identified versions of its genetic data to pharmaceutical companies to aid in drug research.
What’s next: During U.S. insolvency proceedings, TTAM Research Institute, a non-profit led by former CEO Anne Wojcicki, acquired 23andMe for US$305-million. TTAM has committed to allowing customers to delete their accounts, opt out of research uses of their data, and not sell or transfer genetic data to any entity that does not adhere to TTAM’s policies and comply with all laws.