BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Findings #2025-001: Joint investigation into a data breach at 23andMe by the Privacy Commissioner of Canada and the UK Information Commissioner
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Findings #2025-001Well-founded & resolved
Flag of Canada

PIPEDA Findings #2025-001: Joint investigation into a data breach at 23andMe by the Privacy Commissioner of Canada and the UK Information Commissioner

Organization: 23andMe Inc.
Decision: Jun 20, 2025Published: Jun 20, 2025
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

Key Issues
  • Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
  • Timeliness and completeness of breach notifications to regulators and affected individuals.
  • Risk of harm to individuals due to the sensitive nature of compromised personal information.
  • 23andMe's assessment of and response to the identified security deficiencies.
Outcome

Contraventions found, but issues resolved due to implemented corrective measures.

Reasoning

23andMe failed to implement adequate safeguards against credential stuffing attacks and provided incomplete breach notifications. However, the company has since implemented significant security improvements and enhanced its notification processes to the satisfaction of the OPC and ICO.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

23andMe was required to implement enhanced safeguards, including mandatory multi-factor authentication, improved password policies, enhanced protection for sensitive data, and updated monitoring and detection measures. They also updated their policies and procedures for breach notifications.

Statutory provisions cited
  • Principle 4.7 of Schedule 1 of PIPEDA
  • Section 10.1 of PIPEDA
  • Sections 2 and 3 of the Breach of Safeguards Regulations

This summary is informational only and not legal advice.