Federal privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards spoke to reporters during a press conference held at Ottawa’s National Press Theatre on Tuesday, June 17, 2025. (Photo credit: Sean Kilpatrick / The Canadian Press)
A major security lapse at genetic testing firm 23andMe led to the exposure of sensitive personal data from nearly seven million customers — a breach that could have been avoided, according to a joint investigation by Canadian and U.K. privacy watchdogs.
On Tuesday, Canada’s Privacy Commissioner Philippe Dufresne and U.K. Information Commissioner John Edwards revealed findings from their year-long investigation into the breach. It affected about 6.9 million users, including 320,000 Canadians.
Dufresne warned the public that this breach is a stark reminder of how vital strong digital security is. “It’s a lesson for every organization handling personal data in today’s digital age,” he said during a press briefing.
23andMe, known for its DNA testing kits that analyze customers' saliva to trace ancestry and health traits, filed for bankruptcy earlier this year. The investigation revealed the breach was caused by weak internal safeguards, allowing hackers to exploit reused passwords from other online leaks.
Sensitive details like customers’ health data, racial and ethnic backgrounds, birthdates, gender identity, and even information about relatives were compromised. What made it worse was that some of this data later ended up for sale online, increasing the risk of identity theft or misuse.
The breach began on April 29, 2023, and lasted five months. Hackers gained access to more than 18,000 customer accounts by using previously stolen login credentials from other websites. Once inside, they accessed not only the account holders' information but also details of their genetic relatives, due to an optional sharing feature on 23andMe’s platform. As a result, data from millions more individuals became vulnerable.
The report stated that 23andMe had failed to adopt even basic cybersecurity measures. It didn’t require users to set complex passwords, nor did it mandate two-step authentication, which is now standard across many digital platforms. The company also didn’t check whether customers’ passwords had been leaked in earlier data breaches elsewhere.
More alarmingly, there were no extra protections for extremely sensitive content like raw DNA data — information that could potentially be misused for medical, legal, or insurance reasons.
The investigation also found that 23andMe’s internal security systems did not flag any unusual activity even as hackers were clearly working their way into thousands of accounts. Despite recognizing the attack as it was happening, it took the company four days to log out users and force password resets. It took another month to shut down the raw DNA download option and finally implement two-factor authentication.
Privacy commissioners in both countries emphasized that organizations must do better — especially those handling deeply personal information like genetic data. Stronger digital protections, faster response times, and better detection systems are no longer optional, they said — they are essential.
