A joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and its British counterpart (ICO) found that the American DNA analysis company 23andMe failed to take adequate measures to protect its users' personal data, leading to a widespread security breach last year.

The report released on Monday stated that the affected data included sensitive information such as ethnic origin, health information, and genetic links, confirming that the company did not implement sufficient measures to reduce the risks of unauthorized access, nor did it adequately notify customers after the attack occurred.

Cyberattack and Excessive Reliance on Passwords

23andMe was targeted in a cyberattack in 2023, during which hacked credentials from other services were used to access user accounts. The investigation noted that the company relied excessively on passwords as the sole means of protection, without implementing additional protocols such as two-factor authentication (2FA).

Violation of Privacy Standards

Canadian Privacy Commissioner Philip Lethbridge affirmed that "biological and genetic data are among the most sensitive types of data," and that the company's failure to secure this data "represents a serious breach of customer trust and privacy protection laws."

For his part, British Information Commissioner John Edwards stated that companies collecting genetic information "bear a special responsibility" to ensure the security of that data, adding that what happened "could have profound implications for users and their families."

Expected Measures

The authorities have given the company a specified timeframe to provide a detailed plan to address these shortcomings, warning of potential fines and legal penalties if the required standards are not met.

This incident is one of the largest privacy breaches in the field of genetic data to date, highlighting the legal and ethical challenges facing biotechnology companies worldwide.