Written By Stephen Burns, Ruth Promislow, Sebastien Gittens, Matthew Flynn, Caroline Poirier, Kees de Ridder, Suzie Suliman, David Wainer, Emma Arnold-Fyfe and Sahej Toor

On June 17, 2025, the Office of the Privacy Commissioner of Canada (OPC) released a summary of its investigation findings regarding a data breach at 23andMe, which affected nearly seven million customers, including approximately 320,000 Canadians.

The compromised data included information which was derived from the individual's DNA or disclosed by the individual, and which was often deemed to be "sensitive" under Canadian privacy legislation, including: health details, race, ethnicity, information about relatives, date of birth, sex at birth and gender.

The data breach reportedly resulted from a credential-stuffing attack, where a threat actor exploited reused login credentials from unrelated breaches to gain unauthorized access to 23andMe’s platform.

Following a joint investigation, the OPC and the UK Information Commissioner’s Office (ICO) asserted there were deficiencies in 23andMe’s security practices. The authorities asserted that 23andMe:

1. failed to implement appropriate controls to prevent unauthorized access to sensitive data;
2. did not have effective systems in place to monitor, detect and respond to cyber threats; and
3. did not investigate credible claims of a breach and did not adequately notify regulators or affected customers, as required under Canadian and UK privacy laws.

As a result, the OPC and ICO emphasized the need for organizations to take proactive steps to protect against cyber-attacks such as: multi-factor authentication; strong minimum password requirements; compromised password checks; and monitoring systems to detect abnormal activity.

They also remind organizations that:

1. safeguards used in connection with sensitive personal information should be more robust given the heightened risk of harm; and
2. safeguards must be prioritized and "built into the customer experience [of a web] design."

The ICO fined 23andMe £2.31 million under UK privacy law. Under Canadian federal privacy legislation, there is no penalty arising as a result of the findings made by the OPC. Accordingly, Privacy Commissioner Philippe Dufresne has called for modernized privacy legislation to enable stronger enforcement powers, aligning Canada with its international counterparts. 

The expectation among privacy professionals in Canada is that we will see the federal government bring forward legislation to update the federal private sector privacy regime which will include, among other things, penalties for non-compliance.  In the meantime, organizations should take note of the potential for substantial penalties under the Quebec private sector privacy regime.

This investigation highlights the need for controls, systems and processes, appropriate to the sensitivity of the information to be protected, to meet the obligations to safeguard personal information and manage risk.

For more information on privacy compliance and data protection, please contact one of our privacy and cybersecurity lawyers.