In what could be described as one of the most concerning genetic privacy incidents in recent history, Canadian and British data protection authorities have launched a coordinated investigation into 23andMe’s massive data breach that exposed sensitive genetic information of millions of users worldwide.
The Office of the Privacy Commissioner of Canada announced Tuesday that it has joined forces with the United Kingdom’s Information Commissioner’s Office to probe the concerning security failure at the popular DNA testing company. This collaboration signals the serious cross-border implications of the breach that affected customers in multiple countries.
“When consumers entrust companies with their most personal biological information, they rightfully expect fortress-like protection,” said Canadian Privacy Commissioner Philippe Dufresne in a statement obtained by CO24 News. “This investigation will determine whether 23andMe met the stringent safeguards required for such sensitive data.”
The breach, first reported in October 2023, initially appeared limited in scope but quickly expanded as 23andMe revealed that hackers had accessed approximately 6.9 million user profiles—nearly half of the company’s customer base. The attackers employed a technique known as “credential stuffing,” using passwords leaked from other data breaches to gain unauthorized access to 23andMe accounts.
Particularly troubling was the hackers’ targeted focus on users of Ashkenazi Jewish and Chinese ancestry. According to CO24 World sources, compromised information included not just email addresses and passwords, but genetic ancestry data, health predisposition reports, and DNA relative matches—creating potential risks ranging from identity theft to genetic discrimination.
“The joint investigation demonstrates the increasing international cooperation needed to address data breaches that transcend borders,” explained cybersecurity analyst Dr. Elaine Morrison from the University of Toronto. “These genetic databases contain information not just about individual users, but potentially their entire biological families.”
The breach has already triggered several class-action lawsuits in Canada and the United States, with plaintiffs arguing 23andMe failed to implement adequate security measures despite the extraordinarily sensitive nature of its data holdings.
23andMe has responded by implementing mandatory two-factor authentication and encouraging users to create unique passwords. The company stated it is “fully cooperating with all regulatory investigations” while maintaining that “the unauthorized access resulted from customers reusing passwords, not from a breach of 23andMe’s systems.”
However, privacy advocates remain skeptical. “Companies that collect genetic data have an exceptional duty of care,” said Brenda McPhail, privacy director at the Canadian Civil Liberties Association. “Blaming users for password habits overlooks the fundamental responsibility these companies have when they commercialize our genetic information.”
The joint investigation will examine whether 23andMe complied with Canada’s Personal Information Protection and Electronic Documents Act and the UK’s Data Protection Act. Potential penalties could reach into the millions, especially under British regulations which permit fines of up to 4% of global annual revenue for serious data protection violations.
As genetic testing becomes increasingly mainstream, this case raises profound questions about the safeguards surrounding our most intimate biological information. When we mail our DNA samples to private companies, are we fully considering who might eventually access that data—and what they might do with it?
