23AndMe had ‘inadequate’ security before ‘profoundly damaging’ hack: probe

23AndMe had “inadequate” security systems and was “slow to respond” to warning signs customers’ sensitive data was at risk before the "profoundly damaging" hack, officials say.

Genetic data company 23AndMe had “inadequate” security systems and was “slow to respond” to warning signs that customers’ sensitive data was at risk before the “profoundly damaging” 2023 data breach, privacy officials say.

Canadian Privacy Commissioner Philippe Dufresne and U.K. Information Commissioner John Edwards released the results of their joint investigation into the breach on Tuesday.

The investigation found that of the almost seven million people impacted worldwide, nearly 320,000 Canadians and more than 150,000 people in the U.K. had their sensitive genetic information compromised by hackers.

Dufresne said Tuesday the breach serves as a “cautionary tale” for all organizations about the importance of data protection.

Dufresne added that 23andMe lacked security measures including having appropriate authentication and verification measures as part of the login process, such as multi-factor authentication and even strong minimum password requirements.

“With data breaches growing in severity and complexity and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” Dufresne said.

While Canada’s privacy commissioner does not have the power to levy fines, the U.K. information commissioner can – and in this case, is fining 23andMe a total of 2.31 million pounds.

The fine is the result of 23andMe “failing to implement appropriate security measures to protect the personal information of U.K. users,” Edwards said.