Genetic data company 23andm had “inadequate” security systems and was “slow to respond” to the warning signs that the sensitive customers of customers were in danger before the violation of “deeply damaging” data, according to privacy officials.
Canadian Privacy Commissioner Philippe Dufresne and British Commissioner John Edwards published the results of their joint investigation in the breach Tuesday.
The survey revealed that nearly seven million people have had an impact on the world, nearly 320,000 Canadians and more than 150,000 people in the United Kingdom had their sensitive genetic information compromised by pirates.
Dufresne said on Tuesday that the violation serves as a “built tale” for all organizations on the importance of data protection.
Dufresne added that 23 and lack of safety measures, in particular having appropriate authentication and verification measures as part of the connection process, such as multi-factory authentication and even strong minimum password requirements.
“With data violations that increase in gravity and complexity and ransomware and malware that increases sharply, any organization that does not take action to prioritize data protection and respond to these threats is increasingly vulnerable,” said Dufresne.
Although the Commissioner in Canada in matters of confidentiality does not have the power to receive fines, the United Kingdom Commissioner can – and in this case, led 23 and a total of 2.31 million pounds.
The fine is the result of 23 and “do not implement appropriate security measures to protect personal information from British users,” said Edwards.
Edwards said that the data violation of October 2023 exposed sensitive personal information, family history and even health problems.
Get health news on health
Receive the latest medical information and health information provided to you every Sunday.
“It was a deeply damaging breach,” he said.
“23andme failed to take basic measures to protect people’s information. Security systems were inadequate. The warning panels were there and the company was slow.
He then told journalists that his office had heard people affected by the breach and said they felt “anxious” of what it could mean for their personal, financial and family security.
According to Dufresne, their survey noted that stolen data has also been offered for online sale, putting personal information from individuals with “more risk” affection.
Business set a trial at the end of last year This has accused 23and of not having protected the privacy of 6.9 million customers whose personal information was exposed in the violation. The company was ordered to pay US 30 million dollars and to provide three years of security surveillance.
During the months which followed the violation, the company was faced with many problems, in particular by seeing its value in the public lists drop by more than 97% and its seven independent administrators resigning last September in the middle of the founder of origin planned to resume private society.
The company has never made any benefits and bankrupt in MarchSeeking to sell your affairs at auction after a drop in demand and the data violation of 2023.
Last month, Regeneron Pharmaceuticals agreed to buy the company for $ 256 million, but on Monday refused to submit a new offer for the company after the 23andme co -founder Anne Wojcicki beat her offer, putting US dollars from the non -profit organization.
Wojcicki’s offer is expected to close in the coming weeks after a legal hearing scheduled for Tuesday, according to its non -profit TTAM research institute. The non -profit organization said that it would support existing confidentiality policies of 23andme and respect all applicable data protection laws.
Journalists also questioned Dufresne on Wojcicki, who was CEO during data violation, taking over once again and potentially selling data outside the company.
He said that the company had taken measures to respond to some of the recommendations made by its offices and Edwards, and had received insurance from the new buyer, they would respect existing privacy policies and clauses.
“We have indicated in the report that we will carefully follow, that the obligations should continue to apply for any new owner and that if there are concerns that our citizens can contact us and we will take the appropriate measures,” said Dufresne.
He added that if his office cannot collect fines, he makes recommendations to the government and works with the international community if necessary. He said that in “appropriate cases”, he can also apply to the Federal Court to request an order for binding obligation on an organization.
But Edwards issued another severe warning to 23and that they could cope with new fines and application if the measures are not taken.
“These are current obligations, they were therefore drawn to the attention of leadership they were in violation,” said Edwards. “They did not reach the standard required by British law. If they do not remember that, they will remain in violation and could be exposed to additional application measures. ”
– with reuters files
& Copy 2025 Global News, A Division of Corus Entertainment Inc.