Compliance recommendations from Privacy Commissioners’ report on 23andMe data breach

Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards recently conducted an extensive investigation into a significant data breach at 23andMe, a renowned direct-to-consumer genetic testing company.

The October 2023 breach affected approximately seven million customers globally, including almost 320,000 Canadians. 23andMe revealed that it had fallen victim to a credential-stuffing attack (where hackers use stolen log-in details from previous breaches on other websites and attempt to access accounts until they find matches) that spanned over five months. The attacker accessed more than 18,000 customer accounts, exposing highly sensitive personal information, including health data, race and ethnicity details, and genetic information.

The Commissioners’ key findings included:

• Security measures: Like many organizations, 23andMe faced challenges in balancing user experience with security measures such as multi-factor authentication (MFA) and robust password security. The Commissioners found that only 22 percent of users adopted MFA, and specifically noted executives’ concerns about “user friction”. 23andMe also had a relatively weak password requirement, including only an eight-character minimum and no checks to determine if user credentials had been compromised in previously known breaches. The Commissioners also observed that 23andMe did not require additional protections for accessing very sensitive information like raw DNA data.


• Detection and response: The company’s systems failed to detect the unauthorized access, missing key opportunities to identify the breach over a five-month period due to inadequate logging and monitoring practices. It took four days to disable active user sessions and initiate a password reset, and about a month to implement mandatory MFA and disable the raw DNA download feature.


• Breach notification: 23andMe’s notifications to privacy regulators and affected individuals were insufficient, and reports to the commissioners failed to include complete information about the breach, particularly regarding raw DNA data. Notifications to affected individuals were delayed, with directly accessed accounts not being notified until January 2024, over a month after the forensic analysis was completed.

The joint investigation concluded that 23andMe contravened Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the UK's General Data Protection Regulation (UK GDPR), while acknowledging (delayed) subsequent improvements by 23andMe. Given that 23andMe had, during the investigation, filed for bankruptcy, the Commissioners emphasized the importance of compliance with data protection laws to the US Trustee overseeing those proceedings.

The UK commissioner imposed a £2.31M penalty on 23andMe under UK GDPR. There was no similar enforcement in Canada because PIPEDA does not grant the authority to issue fines – though proposed amendments going back several years have sought to change that.

This case is emblematic of the broader challenges facing all organizations entrusted with sensitive data. Attackers’ tactics are constantly evolving, and even companies with significant resources can find themselves vulnerable to sophisticated attacks. This investigation’s findings serve as a critical reminder that stringent data protection measures are important and that security failures have very significant consequences in the digital age. It also highlights that organizations must take into account what their users are doing and the sensitivity of the personal information that may be subject to exposure in an attack.

The Commissioners made several notable specific recommendations, advising that companies should, under both PIPEDA and UK GDPR:

• Identify potential threats and assess risk of harm: Organizations should systematically identify cyber threats and evaluate associated risks, particularly when handling highly sensitive data like genetic information. Genetic data—which reveals ancestry, health predispositions, and biological relationships—carries heightened risks of misuse, including discrimination or targeted attacks based on ethnic backgrounds. The Commissioners stressed that safeguards must be scaled to this elevated risk profile, requiring rigorous threat modeling and continuous risk reassessment.


• Implement robust safeguards proportionate to data sensitivity: The attack succeeded because compromised credentials allowed access to DNA relatives' profiles, health reports, and raw genetic data.The Commissioners argued that appropriate safeguards can protect personal information in the event of a credential stuffing attack.


• Use mandatory multi-factor authentication (MFA) where appropriate:The Commissioners recommended that MFA be enforced universally, not as an opt-in feature, particularly given the sensitivity of the data stored by the company.


• Deploy strong minimum password requirements: Generally speaking, longer, unique, and more complex passwords may thwart hackers (though they may also lead to consumers forgetting their passwords too frequently). It is best practice for users to use a safe password manager and password generation tool to ensure unique complex passwords across all websites, but the Commissioners argued that maintaining password uniqueness is also partly the provider’s problem. The Commissioners in particular recommended performing compromised password checks, blocking passwords known from prior breaches to prevent reuse.


• Ensure adequate monitoring to detect Abnormal Activity: The Commissioners recommended monitoring for spikes in failed logins, unfamiliar devices, or suspicious locations to flag attacks early.


• Prioritize security in web design and customer experience: The Commissioners suggested that security cannot be an afterthought; but rather must be integrated into web design and user workflows. Prioritizing safeguards during design (such as frictionless MFA integration or real-time threat alerts) balances security with usability. The Commissioners noted that breaches directly undermine customer experience and delayed breach confirmation undermines user trust.


• Provide prompt and comprehensive breach notification to regulators and individuals as required by law: The Commissioners specifically advised that organizations must notify regulators and affected individuals "as soon as feasible" where any breach meets the threshold of a real risk of significant harm. 23andMe’s delayed investigation (which apparently began only after stolen data appeared on an online forum) exacerbated risks like identity theft or targeted scams.

Take aways

The investigation findings set out the Commissioners’ views and recommendations in detail. However, each organization must carefully analyze its own security posture in light of its own business, operations, and practices. The recommendations in this decision may not apply in every case.

In addition, while prompt and comprehensive notification is required to meet the legal standards, organizations must also carefully consider the scope and timing of disclosures to protect ongoing investigations and mitigate further risks. Organizations should work closely with legal counsel to assess the law and the facts.

Ultimately, the 23andMe breach underscores a fundamental truth: in cybersecurity there are no guarantees. The arms race between attackers and defenders means that even the most diligent organizations must remain vigilant and adaptable. While regulatory expectations are rising, so too are the tools and strategies available to organizations. By staying informed, investing in robust technical and procedural safeguards, and seeking timely legal advice, companies can not only reduce their risk but also demonstrate accountability and resilience in the face of inevitable challenges.