Analysis

Genetic testing firm 23andMe faced severe repercussions following an October 2023 data breach that exposed sensitive information of nearly seven million users, including 320,000 Canadians and 155,000 Britons. Joint investigations by Canadian and U.K. privacy watchdogs revealed critical security deficiencies, specifically the absence of multi-factor authentication and inadequate password requirements, which facilitated unauthorized access via recycled credentials. This negligence resulted in a £2.31 million fine from the U.K.'s Information Commissioner and strong condemnation for the company's slow response and failure to protect special-category genetic data. While raw DNA sequences were reportedly not compromised, hackers accessed and offered for sale personal details such as birth years, locations, family trees, and health reports. Financially, 23andMe agreed to a $30 million settlement in a class-action lawsuit, which includes three years of credit monitoring for affected individuals. The company is currently undergoing bankruptcy proceedings, with its assets set to be acquired by TTAM Research Institute for $305 million, an offer that surpassed Regeneron's bid. TTAM Research Institute has committed to legally binding improvements in data security and adherence to existing privacy policies, though regulators have explicitly warned that any future lapses under the new ownership will prompt further enforcement actions, underscoring the indelible nature of genetic information exposure.