Ontario
British Columbia
Alberta
Saskatchewan
Manitoba
Quebec
Nova Scotia
New Brunswick
Prince Edward Island
Newfoundland and LabradorFederal (Canada)Personal Information Protection and Electronic Documents ActWell-founded & resolved
Jun 20, 2025PIPEDA Findings #2025-001
PIPEDA Findings #2025-001: Joint investigation into a data breach at 23andMe by the Privacy Commissioner of Canada and the UK Information Commissioner
23andMe Inc.
This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.