The 23andMe data breach exposed highly sensitive personal and genetic information. Canadian and UK regulators found that 23andMe failed to implement adequate security measures and violated their respective data protection laws. This breach highlights how poor security and slow response can expose highly sensitive personal and genetic information. This case shows how poor security practices and slow breach response can seriously undermine trust and breach privacy laws, especially where permanent, high-risk data like DNA is involved.
Background of the data breach
23andMe is a US-based company that provides direct-to-consumer genetic testing and ancestry services to individuals globally. Between April and September 2023, attackers gained access to user accounts through a credential stuffing attack, a method where previously leaked usernames and passwords are reused to break into accounts on other platforms. 23andMe became aware of the breach in early October 2023. Because many people use the same credentials across services, this type of attack is often successful if additional safeguards like multi-factor authentication (MFA) are not in place.
Once inside, the attackers exploited the DNA Relatives feature to access the personal data of individuals genetically linked to those accounts. Although fewer than 20,000 accounts were directly accessed, the attacker used them to reach the profiles of nearly 7 million people. This included more than 319,000 individuals in Canada and 155,000 in the UK.
Personal data compromised
The breach exposed:
- names, dates of birth, and locations;
- profile photos and user-generated content;
- ethnic background and ancestry reports;
- health and pharmacogenetic information;
- raw DNA data files; and
- DNA Relatives matches and family tree connections.
This type of data is particularly sensitive because it is permanent, deeply personal, and often relates to other people, such as family members.
Key findings
The OPC and ICO found that 23andMe failed to implement appropriate safeguards in three key areas: prevention, detection and breach response.
Prevention
23andMe chose not to make MFA mandatory, which left most accounts protected only by passwords, many already exposed in other breaches. The company set weak password requirements and did not check whether users reused compromised credentials. It also gave attackers direct access to raw DNA without requiring any additional verification after login.
Detection
23andMe did not detect the breach for months. Its systems missed clear signs of suspicious activity, such as repeated failed logins and account takeovers. The company did not log enough details or give users visibility into who was accessing their accounts, making unauthorised access harder to detect.
Breach response
After confirming the 23andMe data breach, the company took four days to reset passwords and almost a month to block raw DNA downloads and require MFA. It lacked a clear plan for handling credential stuffing attacks, which delayed its response and increased the risk to individuals.
Incomplete and delayed breach notifications
The OPC and ICO also found that 23andMe failed to meet its legal obligations to notify both regulators and affected individuals.
- Missing key details: The company left out key information from its initial reports, including the fact that raw DNA data had been compromised.
- Delays in individual notification: Some affected users were never notified. Others received notifications weeks after 23andMe had already confirmed that their data had been accessed.
- No disclosure of data for sale: Users were not told that their personal information had been offered for sale online.
These risks increased the risk of harm and undermined public trust.
What did the OPC and ICO decide?
Both regulators concluded that 23andMe had breached the requirements set out in the Canada Personal Information Protection and Electronic Documents Act (PIPEDA) and the UK General Data Protection Regulation (UK GDPR).
- The OPC found that 23andMe failed to implement appropriate safeguards and did not provide timely, complete data breach notifications.
- ICO reached similar findings and noted that 23andMe failed to ensure the integrity and confidentiality of personal information. It also imposed a penalty fine of £2.31 million.
23andMe has since introduced security improvements, including mandatory two-step verification, but these changes came after the breach occurred.
Why this breach matters
This case shows the serious risks involved in handling genetic and health-related data. This category of personal information:
- is permanent. Individuals cannot change their DNA. Once exposed, this information remains sensitive and relevant for a lifetime.
- reveals intimate personal details. Genetic data can uncover medical predispositions, inherited conditions, and a person’s ethnic background or ancestry.
- impacts others beyond the data subject. DNA data is often linked to relatives, meaning a breach can affect family members who never used the service themselves.
If compromised, this information may lead to discrimination, re-identification, or other long-term harms. Organisations that collect or process sensitive personal data must go beyond minimum security requirements and treat it with the highest level of care.
Ongoing obligations and key takeaways
23andMe has filed for Chapter 11 bankruptcy in the USA. The OPC and ICO confirmed that data protection obligations still apply, even during insolvency. Any future buyer or acquiring entity must continue to comply with Canadian and UK data protection laws when handling this personal information. The legal duties to protect, manage and process personal data responsibly do not end with a change of ownership or financial restructuring.
The 23andMe data breach is a warning to all organisations that collect and process sensitive personal data. Weak authentication has legal consequences. Slow detection and incomplete breach notifications damage both reputation and public trust. Protecting people’s information is not just about compliance, it’s about trust.
To read the full findings, visit the regulators’ websites:
