News release

Data breach at 23andMe is a reminder to all organizations to prioritize privacy, Privacy Commissioner of Canada cautions in wake of investigation

June 17, 2025 – Ottawa, Ontario, Canada

A global data breach at 23andMe serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyberthreats, Privacy Commissioner Philippe Dufresne warned following an investigation into the breach.

The joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the United Kingdom Information Commissioner’s Office (ICO) found that the company had failed to implement adequate security measures to protect the personal information of 7 million customers, including nearly 320,000 Canadians.

Investigation details

Between April and September 2023, a hacker carried out a credential-stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen in previous unrelated data breaches.

The investigation revealed that 23andMe did not implement appropriate controls to protect against unauthorized access to highly sensitive personal data and did not have effective systems in place to monitor, detect, or respond to cyberthreats targeting its customers’ sensitive information.

The company’s response as the incident unfolded was also inadequate. It failed to properly investigate signals that a breach may be occurring, including a credible claim that customer data had been stolen.

The investigation underscores the need for all organizations to ensure that they are taking proactive steps to protect against cyber attacks, including multi-factor authentication, strong minimum password requirements, compromised password checks and adequate monitoring to detect abnormal activity.

The company also did not adequately notify regulators and affected customers after the breach as required under Canadian and UK laws.

The company now faces a £2.31 million fine under UK privacy law, underscoring the effectiveness of international enforcement collaboration. Commissioner Dufresne does not have the power to make orders or issue penalties under current federal privacy law. He has called for modernized laws that would bring Canada in line with its global partners.

Impact on individuals

The compromised data included highly sensitive information related to health, race and ethnicity, as well as information about relatives, date of birth, sex at birth and gender. Much of this information was derived from the individual’s DNA. The type and amount of personal information accessed varied depending on the information included in a customer’s account.

The responsibility to keep people’s information secure lies first and foremost with companies that collect and use personal information. Organizations that prioritize privacy by building protections into their products and services at the outset earn customer trust which in turn can support the company’s success.

Canadians affected by the 23andMe breach can also take steps to protect their personal information held in other online accounts, by changing their passwords, avoiding password reuse, enabling multifactor authentication where available, and monitoring their accounts for unusual activity. Affected Canadians should also stay vigilant against phishing scams that reference personal information. The OPC website has additional tips on how to protect personal information after a data breach.

23andMe bankruptcy

Since the launch of the investigation, 23andMe has filed for Chapter 11 bankruptcy in the United States. This has sparked concerns from 23andMe customers about how their personal information may be shared and used in the future.

The OPC and ICO have written to the trustee overseeing the proceedings to clarify legal requirements for the handling of personal information of individuals in Canada and the UK. The regulators will provide the purchaser of 23andMe’s data holdings with the report of findings from their joint investigation to ensure that they are aware of their legal privacy obligations.

The OPC and ICO will also not hesitate to take action if there is evidence that the new owner is not complying with privacy laws.

Quotes

“Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable.”

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximize our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Philippe Dufresne
Privacy Commissioner of Canada

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: ‘once this information is out there, it cannot be changed or reissued like a password or credit card number.’ 23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

John Edwards
UK Information Commissioner

Media contacts

Office of the Privacy Commissioner of Canada
communications@priv.gc.ca

UK Information Commissioner’s Office
pressoffice@ico.org.uk

Date modified:: 2025-06-17

Language selection

Search and menus

Search