Key Points:

1. The Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) launched an investigation into the data breach that 23andMe experienced

   
   

2. The OPC and the ICO both concluded that 23andMe contravened provisions concerning safeguards and breach notifications

   
   

3. 23andMe has been sold for $305 million to TTAM

As I wrote recently after 23andMe went bankrupt, both the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) launched an investigation into the data breach that the company experienced. This article discusses the results of that investigation.

As you may recall, 23andMe, a company that provided direct-to-consumer genetic testing and ancestry services to individuals globally, confirmed that it experienced a data breach that affected almost 7 million of its customers (almost 320,000 people in Canada and 155,600 people in the UK). Given the scale of the breach and the sensitivity of the personal information involved, the OPC and the ICO launched an investigation. They tried to determine whether the company contravened Canada’s PIPEDA and the UK’s DPA 2018 and UK GDPR.

What did the Commissioners find?

According to the Commissioners, there were several deficiencies regarding safeguards that fell into three main areas:

• Prevention: there was no mandatory multi-factor authentication; inadequate minimum password requirements; inadequate compromised password checks; and no additional protections to access raw DNA data

   

• Breach detection: there were ineffective detection systems; insufficient logging and monitoring of suspicious activity; and inadequate investigation of anomalies

  
  

• Breach Response: there were delays in mitigation (four days to disable all active user sessions and implement a password reset for all customers)

As a result, both the OPC and the ICO concluded that there was a failure to implement appropriate safeguards to ensure the protection of the highly sensitive personal information of its customers.

Also, there were many deficiencies in terms of breach notifications:

• Notification to the Commissioners: the company’s breach reports were not made as required since they failed to include the complete information about the personal information that was involved. However, with respect to the timing, the Commissioners accepted that the company provided its breach notification as soon as feasible

• Notification to the affected individuals: the company’s notifications failed to provide relevant information that was known to the company when submitting the notifications, including the complete information about the personal information that was involved or likely to be involved in the breach and the fact that the personal information of some individuals had been posted for sale online by the hacker. Further, regarding the timing, individuals were not notified about their account having been accessed by the hacker until more than one month after the company had completed its forensic analysis and determined which accounts had been accessed

Therefore, both the OPC and the ICO concluded that the company contravened the breach notification requirements.

The Commissioners noted that on March 23, 2025, following the breach and in the face of mounting financial losses, 23andMe Holding Co. and certain of its subsidiaries, including 23andMe, filed for Chapter 11 bankruptcy under the US Bankruptcy Code. Both the OPC and the ICO communicated with the trustee in bankruptcy and emphasized that the legal requirements for personal information relating to individuals located in Canada and the UK to be handled in compliance with their respective data protection laws.

The sale approval hearing was scheduled to take place on June 17, 2025 in the US Bankruptcy Court for the Eastern District of Missouri. A bankruptcy court just approved the $305 million sale to a nonprofit organization led by the company's former CEO Anne Wojcicki. The TTAM Research Institute, a California-based nonprofit set to acquire 23andMe, plans to maintain the company's customer privacy policies and add further data security measures. What’s more, the nonprofit plans to operate for "the public good".

Interestingly, a company named Regeneron Pharmaceuticals had offered to buy most of 23andMe’s assets for $256 million. It did not submit a higher bid during the bidding process following its assessment of the company’s remaining value. This means that TTAM won out in the bidding war, and it was Wojcicki who used her own funds to purchase the company.

What were the OPC’s key recommendations?

The OPC noted that when taking proactive steps to protect against cyber attacks, it was important to start identifying potential threats and the risk of harm associated with them. When the personal information at issue is highly sensitive, the safeguards should be more robust as there is a heightened risk of harm.

Additionally, credential-based attacks such as “credential stuffing” are one of the most common and well-known threats targeting web applications. Organizations are recommended to ensure that their customers’ online accounts were protected against such attacks by using safeguards that are appropriate to the sensitivity of the personal information at risk.

Some of the ways used to protect against credential-based attacks were:

• Mandatory multi-factor authentication that requires customers to enter more than just a password in order to access an account

  
  

• Strong minimum password requirements to ensure that customers use a long, unique, and hard-to guess password

  
  

• Compromised password checks to prevent customers from reusing a password that was compromised in a previous breach

  
  

• Adequate monitoring to detect abnormal activity that may be a sign of a cyber attack, including a sudden spike in failed login attempts, or logins from unfamiliar devices or unusual locations

Moreover, when considering web design, appropriate information security safeguards have to be prioritized and built into the customer experience design, since breaches could also have a significant negative impact on customer experience and trust.

Last but not least, organizations need to notify the appropriate privacy regulators and affected individuals as soon as feasible after discovering a breach that creates a real risk of significant harm.

In Canada, there are certain things that companies need to communicate following a breach. For instance, breach notifications must include the information that is prescribed under PIPEDA and the Breach of Security Safeguards Regulations. Companies need to report complete information about the personal information that was subject to the breach. Notifications to affected individuals must also provide sufficient information to allow them to understand the significance and potential impact of the breach.

Commissioner Philippe Dufresne of the OPC stated:

“Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable.”

On the topic of collaboration between the OPC and the ICO, he stated:

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance.

By leveraging our combined powers, resources, and expertise, we are able to maximize our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions”

Businesses can also refer to the helpful guidance of the OPC titled, “What you need to know about mandatory reporting of breaches of security safeguards” here for further information on how to take proactive steps to deal with data breaches. Also, the Information Bulletin on Safeguards can be found here.