Backgrounder: Summary of joint investigation into data breach at 23andMe by the Privacy Commissioner of Canada and the UK Information Commissioner

Privacy Commissioner of Canada Philippe Dufresne together with UK Information Commissioner John Edwards conducted a joint investigation into a global data breach that occurred at 23andMe, a direct-to-consumer genetic testing company. This document provides an overview of the findings of the investigation and relevant takeaways for organizations.

23andMe joint investigation overview

In October 2023, 23andMe, a company that provides direct-to-consumer genetic testing and ancestry services to individuals globally, confirmed a data breach that affected almost 7 million of its customers.

Given the scale of the breach, the sensitivity of the personal information involved, and the international service provided by 23andMe, the Privacy Commissioner of Canada and the UK Information Commissioner decided to jointly investigate 23andMe’s privacy practices and compliance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the UK’s General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).

The joint investigation aimed to determine:

whether 23andMe had appropriate safeguards in place to adequately protect the personal information under its control; and
whether 23andMe adequately notified the Office of the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner’s Office (ICO) as well as affected individuals about the breach.

Investigation findings

The investigation found that 23andMe was subject to a lengthy credential-stuffing attack, which allowed the hacker to access and download personal information directly from thousands of customers’ accounts. In this attack, the hacker used stolen log-in details (username or email address and password) from other websites impacted by previous breaches and then “stuffed” these credentials into 23andMe’s log-in page until they found matches.

Beginning on April 29, 2023, and over the course of five months, the hacker was able to obtain access to more than 18,000 customers’ accounts.

23andMe stated that a total of almost 7 million customers were affected by the breach worldwide, including almost 320,000 people in Canada and 155,600 people in the UK.

The types of personal information accessible to the hacker via customers’ account included highly sensitive information related to health, race and ethnicity, as well as information about relatives, date of birth, sex at birth and gender. Much of this information was derived from the individual’s DNA.

Customers could also opt into a DNA Relatives (DNAR) feature, which allowed them to share information (such as relationship, year of birth, percentage of DNA shared with their matches, location, etc.) with genetic relatives.

If this feature was activated in an account, personal information accessible to the hacker could also include the personal information of thousands of other individuals to whom the owner of the credential-stuffed account was genetically linked. This additional information could include their name, self-reported year of birth and location (that is, city and postal code), profile image, and race or ethnic origin.

This explains why the personal information of nearly 7 million customers was ultimately accessible to the hacker.

The investigation examined and identified issues with 23andMe’s safeguards, including in relation to security measures to help prevent, detect and respond to a breach, as well as with its notification of the breach to our Offices and affected individuals. These issues are explained below in more detail.

Safeguards

Our investigation found a number of deficiencies in 23andMe’s safeguards that contributed to the breach. Many of these deficiencies stemmed primarily from the fact that 23andMe did not develop appropriate safeguards to prevent credential stuffing, which is a common form of attack.

The deficiencies that were identified generally fell under three key areas: (i) prevention; (ii) detection; and (iii) breach response.

Issues related to breach prevention

No mandatory multi-factor authentication (MFA)

MFA is a means of improving the security of authentication by requiring a user to enter more information than just a password. At the time of the breach, 23andMe made MFA optional, rather than a mandatory feature on its platform, and less than 22% of 23andMe customers had opted into either MFA or Single Sign-On (another mechanism of enhanced security at sign-on).

As such, for more than three quarters of users, their password was the only control protecting access to their account, leaving them exposed to the risk of credential-based attacks.

23andMe stated that they decided not to make MFA mandatory as they wished to avoid friction in the user experience.

Inadequate minimum password requirements

23andMe’s password policy did not meet industry standards of best practice in place in 2023 or the UK ICO’s Guidance on Passwords in online services, which recommends, among other things, that passwords be no less than ten characters. 23andMe required that the password be a minimum of only eight characters, with minimal complexity requirements.

Inadequate compromised-password checks

23andMe did not perform robust checks to verify if customers were reusing credentials that had been compromised in previous data breaches.

No additional protections to access raw DNA data

Once an account was accessed, there were no additional identity verification measures in place to protect the most sensitive personal information, including raw DNA data, from being accessed and downloaded from an account.

Issues related to breach detection

Ineffective detection systems

23andMe’s detection mechanisms failed to alert 23andMe to clear signals that a hacker was attempting to gain, and had obtained, unauthorized access to large numbers of customer accounts.

Insufficient logging and monitoring of suspicious customer activity

23andMe’s logging and monitoring of customers’ account activity was insufficient to detect anomalous user behaviours indicative of unauthorized access. Further, 23andMe made no device history available to customers to show them what devices had been, or were currently being used to access their account.

Inadequate investigation of anomalies

23andMe missed opportunities to identify and prevent, or at least interrupt, the attack. There were three distinct events that occurred during the period of the ongoing attack that, when viewed collectively, should have led 23andMe to detect the ongoing attack prior to October 2023. This could have, in turn, allowed 23andMe to prevent thousands of additional accounts from being subject to credential stuffing.

Issues related breach response

Delays in mitigation

Despite the urgency of the situation – and 23andMe being aware of the credential-based attack, which was potentially ongoing – it took the company four days to disable all active user sessions and implement a password reset for all customers. Furthermore, it took 23andMe approximately one month to disable the self-service raw DNA download feature and implement mandatory MFA. The absence of established protocols for responding to a credential stuffing attack may have contributed to these delays.

Conclusions related to safeguards

In light of the above, the Commissioners concluded in their Preliminary Report of Investigation that 23andMe lacked appropriate safeguards commensurate to the sensitivity of information in question, and identified measures for 23andMe to implement in order to bring the company’s safeguards into compliance with their respective data protection laws.

In response, 23andMe informed the OPC and UK ICO of a variety of information security improvements that it had implemented since the breach, many of which correspond to areas of inquiry or concern that were raised during the course of the investigation. In light of the above,

The Privacy Commissioner of Canada concludes that 23andMe contravened Principle 4.7 of Schedule 1 of PIPEDA by failing to implement appropriate safeguards to ensure the protection of the highly sensitive personal information of its customers. In light of the safeguard improvements subsequently implemented by 23andMe, the Privacy Commissioner of Canada finds this issue to be well-founded and resolved.
The UK Information Commissioner concludes that 23andMe infringed Articles 5(1)(f) and 32(1) UK GDPR by failing to implement appropriate technical and organisational measures to ensure the integrity and confidentiality of its processing systems and services and its customers’ personal information.

Breach notifications

Given the highly sensitive information compromised and the high probability of misuse in the context, the breach created a risk of harm to affected individuals that met the breach reporting thresholds under both PIPEDA (that is, a real risk of significant harm or “RROSH”) and the Article 33(1) and Article 34(1) UK GDPR, such that 23andMe was required to notify both (1) our Offices and (2) affected individuals of the breach.

Notifications to the Offices

With respect to 23andMe’s breach notifications to their Offices, the Privacy Commissioner of Canada and the UK Information Commissioner find that 23andMe’s breach reports were not made in accordance with PIPEDA and the UK GDPR, respectively, as they failed to include complete information about the personal information that was involved or likely to be involved in the breach and which was known to 23andMe when submitting its breach report, in particular raw DNA data.

In respect of the timing of the breach reports, the Privacy Commissioner of Canada accepts that 23andMe provided its breach notification “as soon as feasible.” Similarly, the UK Information Commissioner considers 23andMe’s explanation for not providing its notification within 72 hours of becoming aware the breach to be reasonable in the circumstances.

Notification to affected individuals

With respect to 23andMe’s breach notifications to affected individuals, the Privacy Commissioner of Canada and the UK Information Commissioner find that 23andMe’s notifications were not, in certain instances, made in accordance with PIPEDA and the UK GDPR, respectively, as they failed to provide relevant information that was known to 23andMe when submitting its notifications, including: (i) complete information about the personal information that was involved or likely to be involved in the breach; and (ii) the fact that the personal information of some individuals had been posted for sale online by the hacker.

In respect of the timing of the breach notifications, individuals whose accounts were directly accessed by the hacker were not notified about their account having been accessed by the hacker until January 2024. This was more than one month after 23andMe had completed its forensic analysis and determined which accounts had been accessed.

Given this one-month delay, the Privacy Commissioner of Canada found that 23andMe did not issue notifications to individuals with stuffed accounts as soon as feasible.

Conclusions related to notification

In a Preliminary Report, measures were identified for 23andMe to implement in order to ensure that the company’s compliance with its breach notification obligations under the respective data protection laws. In response, 23andMe informed both Offices of improvements it had put in place to ensure proper breach notifications to regulators and affected individuals in the future. In light of the above,

The Privacy Commissioner of Canada concludes that 23andMe contravened section 10.1 of PIPEDA and sections 2 and 3 of the Breach of Safeguards Regulations, given the inadequacies in its breach notifications to the OPC and to affected individuals. In light of measures implemented by 23andMe subsequent to the breach, the Privacy Commissioner of Canada finds this issue to be well-founded and resolved.
The UK Information Commissioner concludes that 23andMe failed to adhere to the requirements of Articles 33(3)(a) and (c), UK GDPR regarding 23andMe’s notifications to the ICO and failed to include all the relevant information required pursuant to Article 34(1) and (2) UK GDPR (read with Article 33(3)(c) UK GDPR) in its notifications to affected individuals.

Protection of personal information in the context of bankruptcy

On March 23, 2025, following the breach and in the face of mounting financial losses, 23andMe Holding Co. and certain of its subsidiaries, including 23andMe, filed for Chapter 11 bankruptcy under the US Bankruptcy Code.

The OPC and UK ICO wrote to the US Trustee overseeing 23andMe’s bankruptcy proceedings to emphasize the legal requirements for personal information relating to individuals located in Canada and the United Kingdom to be handled in compliance with their respective data protection laws. A sale approval hearing is scheduled to take place on June 17, 2025, in the US Bankruptcy Court for the Eastern District of Missouri.

The Offices will provide the approved purchaser with a copy of their Report of Findings to ensure the new owner is aware of obligations under PIPEDA and the UK GDPR, including to protect sensitive information with robust security safeguards.

The OPC and UK ICO are prepared to take appropriate action if they consider there to be evidence of non-compliance with the applicable data privacy laws in our respective jurisdictions.

Chronology of the data breach at 23andMe

April 2023: The hacker began their credential-stuffing attack, before carrying out their first period of intense credential-stuffing activity in May 2023.

July 2023: The hacker used a computer program to log into a free account with no associated DNA sample over a million times throughout the course of a single day. This was part of an unsuccessful attempt to initiate “profile transfers.” Due to this intense volume of logins during the course of a single day, 23andMe’s platform stopped working and their users were unable to access the platform.

Later in July 2023: There was a further attempt by the hacker to initiate profile transfers in 400 separate accounts. Despite 23andMe investigating this incident at the time, it failed to detect that this was part of a larger ongoing data breach.

August 2023: A claim of data theft affecting over 10 million users received via the 23andMe customer service portal and repeated on Reddit was dismissed as a hoax by 23andMe.

September 2023: The hacker carried out a second intense period of credential stuffing activity.

October 2023: The hacker advertised the stolen data for sale on Reddit. 23andMe further investigated the incident and confirmed that a data breach had occurred.

June 2024: The OPC and the UK ICO announced a joint investigation into the 23andMe data breach, underlining the regulators’ commitment to collaborate on protecting the fundamental right to privacy of individuals across jurisdictions.

March 2025: The OPC and the UK ICO issued their provisional findings to 23andMe and provided the company with an opportunity to respond to the preliminary report.

March 2025: 23andMe Holding Co. and certain of its subsidiaries, including 23andMe, filed for Chapter 11 Bankruptcy under the US Bankruptcy Code.

April 2025: The Offices wrote to the US Trustee overseeing 23andMe’s bankruptcy proceedings to emphasize that personal information relating to individuals located in Canada and the UK must be handled in compliance with our respective data protection laws.

June 13, 2025: 23andMe announces that it has entered into an agreement with the TTAM Research Institute for the sale of substantially all of 23andMe’s assets.

June 17, 2025: Commissioners Dufresne and Edwards hold a joint press conference to announce the findings of the 23andMe investigation.

Key takeaways for organizations

The breach at 23andMe highlights the importance of taking proactive steps to protect against cyber attacks – and the significant negative impacts that breaches can have for individuals.

A key starting point is identifying potential threats and the risk of harm associated with them. When the personal information at issue is highly sensitive, the safeguards should be more robust as there is a heightened risk of harm.

Credential-based attacks such as “credential stuffing,” are among the most common and well-known threats targeting web applications. Organizations should ensure that their customers’ online accounts are protected against such attacks by safeguards appropriate to the sensitivity of the personal information at risk.

Effective security safeguards against credential-based attacks include:

Mandatory multi-factor authentication that requires customers to enter more than just a password in order to access an account.
Strong minimum password requirements to ensure that customers use a long, unique, and hard-to guess password.
Compromised password checks to prevent customers from reusing a password that was compromised in a previous breach.
Adequate monitoring to detect abnormal activity that may be a sign of a cyber-attack, including a sudden spike in failed login attempts, or logins from unfamiliar devices or unusual locations.

When considering web design, appropriate information security safeguards must be prioritized and built into the customer experience design. A breach can also have a significant negative impact on customer experience and trust.

Organizations must notify the appropriate privacy regulators and affected individuals as soon as feasible after discovering a breach that creates a real risk of significant harm.

Breach notifications must include the information that is prescribed under PIPEDA and the Breach of Security Safeguards Regulations. This includes complete information about the personal information that was subject to the breach. Notifications to affected individuals must also provide sufficient information to allow them to understand the significance and potential impact of the breach.

Further resources for organizations:

Language selection

Search and menus

Search