Latest news with #Dufresne
Yahoo
18-06-2025
- Business
- Yahoo
23andMe 'failed to take basic steps' to protect private information, investigation finds
DNA testing company 23andMe didn't have adequate data protections and ignored warning signs ahead of a massive data breach almost two years ago, an investigation by Canada's privacy commissioner found. Commissioner Philippe Dufresne told reporters that proper protections were not in place in 2023 when hackers gained access to roughly 6.9 million profiles on the site — nearly half its client base. "The breach serves as a cautionary tale for all organizations about the importance of data protections," Dufresne said during a news conference on Tuesday. "With data breaches growing in severity and complexity — and ransomware and malware attacks rising sharply — any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable." Customer profiles contained delicate personal data, including birth year, geographic location, health information and the percentage of DNA users share with their relatives. Dufresne said some of the stolen info was later being sold online. The investigation was launched last year in conjunction with U.K. information commissioner John Edwards. "23andMe failed to take basic steps to protect people's information, their security systems were inadequate, the warning signs were there and the company was slow to respond," Edwards said. Like other genetic testing businesses, 23andMe uses saliva samples to generate reports about a customer's ancestry as well as potential predispositions to certain health conditions. WATCH | U.K. commissioner fines 23andMe: Nearly 320,000 Canadians and 150,000 people in the U.K. were impacted by the 2023 breach, the commissioners said. Edwards said that the U.K. has slapped the San Francisco-based company with a $4.2-million fine over the data breach, but Dufrense said he doesn't have the power to hit the company with monetary penalties. "[The authority to fine companies] is something that exists broadly around the world in privacy authorities and it is something that is necessary. Unfortunately, Canadian privacy law does not yet provide this to me," Dufrense said. Legal changes have been proposed in the past that would give the privacy commissioner the authority to levy fines, but have never been enacted. Dufrense said he hopes the new Parliament will propose changes again soon. WATCH | Canada's privacy commissioner says his office should be able to impose fines: 23andMe filed for bankruptcy earlier this year and announced that it would be selling off its assets — meaning customers' data could be "accessed, sold or transferred." However, the company said the bankruptcy process will not affect how it stores, manages or protects customer data. Dufresne and Edwards said they expect the company to adequately protect user data during any sale. "We will be following this carefully … the [privacy] obligations should continue to apply to any new owner," Dufresne said.
Toronto Star
17-06-2025
- Business
- Toronto Star
Lack of appropriate safeguards led to 23andMe data breach, joint investigation finds
OTTAWA - Canada's privacy watchdog says inadequate security measures opened the door to a data breach discovered two years ago at genetic testing company 23andMe. Privacy commissioner Philippe Dufresne and U.K. information commissioner John Edwards released the findings from their joint investigation of the breach, which affected almost seven million people, including nearly 320,000 in Canada. Dufresne told a news conference today the breach serves as a cautionary tale for all organizations about the importance of data protection in an era of growing cyberthreats. ARTICLE CONTINUES BELOW He says strong protection must be a priority for organizations, especially those holding sensitive personal information. 23andMe, which filed for bankruptcy in March, sells testing kits that use a customer's saliva sample to uncover genetic information through DNA analysis, including details about health, ancestry and biological relationships. Dufresne and Edwards announced last May they would look into the data breach's scope, the company's data handling safeguards and whether it adequately notified regulators and affected individuals about the lapse. This report by The Canadian Press was first published June 17, 2025. Politics Headlines Newsletter Get the latest news and unmatched insights in your inbox every evening Error! Sorry, there was an error processing your request. There was a problem with the recaptcha. Please try again. Please enter a valid email address. Sign Up Yes, I'd also like to receive customized content suggestions and promotional messages from the Star. You may unsubscribe at any time. By signing up, you agree to our terms of use and privacy policy. This site is protected by reCAPTCHA and the Google privacy policy and terms of service apply. Politics Headlines Newsletter You're signed up! You'll start getting Politics Headlines in your inbox soon. Want more of the latest from us? Sign up for more at our newsletter page.
Vancouver Sun
10-06-2025
- Vancouver Sun
Lost RCMP USB stick identifying informants and witnesses offered for sale by criminals
The RCMP lost a memory key containing personal information about victims, witnesses and informants, and later learned it was being offered for sale by criminals, the federal privacy watchdog says. A detailed report from the office of privacy commissioner Philippe Dufresne reveals the RCMP told the watchdog about the breach in March 2022, prompting a lengthy investigation. The RCMP determined that the unencrypted USB storage device contained the personal information of 1,741 people, including witnesses, complainants, subjects of interest, informants, police officers and civilian employees. Start your day with a roundup of B.C.-focused news and opinion. By signing up you consent to receive the above newsletter from Postmedia Network Inc. A welcome email is on its way. If you don't see it, please check your junk folder. The next issue of Sunrise will soon be in your inbox. Please try again Interested in more newsletters? Browse here. 'The RCMP's investigation also established that only some of the documents on the device were password protected and that the device itself was not encrypted nor password protected,' the privacy watchdog's report says. The Mounties learned from a confidential source three weeks after the loss that the data on the device was being offered for sale by members of the criminal community. 'Given the nature and sensitivity of the information that the RCMP handles on a daily basis, (our office) would have expected the RCMP to have strict security measures in place to safeguard its information holdings,' the privacy commissioner's report says. 'We also would have expected for those measures to be stringently monitored and that the RCMP would take prompt action where non-compliance, whether accidental or not, is discovered.' Dufresne's office found the RCMP violated the Privacy Act, given that the personal information of individuals was disclosed without their consent. The privacy watchdog also concluded that RCMP personnel failed to report the loss of the USB storage device to the force's authorities in a timely manner. However, once aware of the breach, the RCMP's notification to affected individuals and the steps taken to manage the risk of further harm to them were 'generally appropriate in the circumstance,' the report says. Finally, Dufresne's office found the RCMP failed to take appropriate measures to safeguard the personal information. The privacy watchdog recommended the RCMP adopt strict security measures for the use of USB storage devices. This included measures not only to ensure that approved USB devices are used, but also audits to confirm that devices are returned when no longer needed, as well as additional training, the report says. The commissioner reports that the Mounties agreed in principle to the recommendations but did not commit to implementing them within a specific timeline. RCMP spokeswoman Robin Percival said Monday the force initiated a review of its security and privacy policies, as well as its awareness program, to ensure employees were reminded and sensitized of their continual responsibilities to protect sensitive information. 'The program also addresses the immediate actions to be taken in case of a security breach,' Percival said in a written response. The RCMP remains committed to preventing the use of unauthorized devices of unencrypted USB storage devices and to implementing appropriate measures and solutions across the country, she added. Our website is the place for the latest breaking news, exclusive scoops, longreads and provocative commentary. Please bookmark and sign up for our daily newsletter, Posted, here .
Global News
28-05-2025
- Business
- Global News
Federal privacy czar starts probe into theft of customer data from Nova Scotia Power
The federal privacy commissioner has launched an investigation into a ransomware attack that led to the theft of personal information belonging to 280,000 customers of Nova Scotia's electric utility. Privately owned Nova Scotia Power confirmed last week that hackers stole the data and published it on the dark web. Privacy commissioner Philippe Dufresne issued a statement today confirming he started a probe after receiving complaints about a security breach the utility reported in late April. Get breaking National news For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen. Sign up for breaking National newsletter Sign Up By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy Dufresne says he's in discussions with the utility to ensure it is taking appropriate steps to deal with the breach, which has affected about half of Nova Scotia Power's customers. The commissioner says the investigation is looking into steps the company has taken to contain the breach, notify its customers and reduce the risk of fraud and identity theft. Story continues below advertisement Nova Scotia Power has said it's offering affected customers a two-year subscription for credit monitoring services through TransUnion Canada. It's also sent letters to customers informing them the stolen data may include their names, birth dates, email addresses, home addresses, customer account information, driver's licence numbers, and in some instances their bank account numbers. Dufresne says customers would be wise to sign up for a credit monitoring service to reduce the potential for fraud, and he says they should monitor their bank accounts and notify their financial institutions. This report by The Canadian Press was first published May 28, 2025.
CTV News
06-05-2025
- General
- CTV News
Sponsored: Dufresne's Canadian roots
Winnipeg Watch Jessica Smithson spotlights Dufresne's Canadian-made furniture and long-standing commitment to quality since 1986.
