Analysis

A joint investigation by Canadian and UK privacy regulators determined that 23andMe's failure to implement basic security protections, notably the absence of multi-factor authentication and weak password requirements, directly contributed to a 2023 cyberattack that compromised the sensitive data of nearly seven million users, including genetic and ancestry information for approximately 320,000 Canadians and over 150,000 individuals in the UK. This security lapse triggered a severe downturn for the California-based company, leading to a market value plunge of over 97% since its public listing, the resignation of all seven independent directors in September 2023, and a subsequent bankruptcy filing in March. While Regeneron Pharmaceuticals initially proposed a $256 million acquisition, this offer was retracted after 23andMe co-founder Anne Wojcicki, through her nonprofit TTAM Research Institute, submitted a competing $305 million bid, which is expected to be finalized following court approval. TTAM has pledged to uphold 23andMe's existing privacy commitments and comply with all relevant data protection laws, but the incident serves as a stark illustration of the extensive consequences of inadequate data security practices for organizations handling sensitive information.