Statement by the Privacy Commissioner of Canada following an investigation into data breach at 23andMe
June 17, 2025
Ottawa, Ontario
Privacy Commissioner of Canada Philippe Dufresne today issued the following statement at a news conference.
Good morning.
I am pleased to be joined by UK Information Commissioner John Edwards to share the results of our joint investigation into the global data breach at 23andMe.
As you may know, Commissioner Edwards is in Ottawa this week to participate in the 2025 G7 Data Protection and Privacy Authorities Roundtable that I am hosting tomorrow and Thursday.
The Roundtable provides an opportunity to exchange and discuss matters of mutual interest with international counterparts, with a focus on collaborative efforts to advance privacy and data protection in a digital age.
This investigation is an excellent example of this collaboration in action.
Before we take your questions, Commissioner Edwards and I will each say a few words about the investigation and findings.
Impact on individuals
We decided to launch this joint investigation in light of the international impact of the breach and the highly sensitive nature of the personal information involved.
The breach at 23andMe impacted almost 7 million people worldwide, including nearly 320,000 people in Canada.
The compromised data included highly sensitive information related to health, race and ethnicity information, as well as information about relatives, date of birth, sex at birth and gender. Much of this information was derived from individuals’ DNA.
The breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyberthreats.
It is particularly relevant at a time when more and more personal information is being collected, used, and shared in a growing digital economy.
Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information.
Organizations must also take proactive steps to protect against cyberattacks – this includes using multi-factor authentication, strong minimum password requirements, compromised password checks, and adequate monitoring to detect abnormal activity.
With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable.
Our investigation found that these types of security measures were not in place at 23andMe, which enabled a hacker to carry out a credential-stuffing attack.
We were also concerned to find that the stolen data was later offered for sale online, putting the personal information of affected individuals at further risk.
Benefits of collaboration
Before I turn things over to Commissioner Edwards, I would like to thank him and his team for collaborating with us on this important investigation.
Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance.
By leveraging our combined powers, resources, and expertise, we are able to maximize our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.
Related links
- News Release: Data breach at 23andMe is a reminder to all organizations to prioritize privacy, Privacy Commissioner of Canada cautions in wake of investigation
- Backgrounder: Summary of joint investigation into data breach at 23andMe by the Privacy Commissioner of Canada and the UK Information Commissioner
- UK Information Commissioner news release on the 23and Me investigation
- Date modified: