Privacy watchdogs in the UK and Canada launched a joint investigation into the 23andMe data breach last year.
On Monday, the UK’s Information Commissioner’s Office (ICO) and Canada’s Office of the Privacy Commissioner (OPC) announced their research to the genetic testing company, saying the organizations will leverage “the combined resources and expertise of their two offices.”
Last year, 23andMe disclosed a security incident that affected the genetic and ancestry data of 6.9 million users, or about half of its total user base. In its data breach notices, the company said it did not detect the hackers’ activities for about five months, from April to September 2023. 23andMe said it was only made aware of the account breaches in October 2023, when the hackers advertised the stolen data on the unofficial 23andMe subreddit and a well-known hacking forum.
The stolen data included the person’s name, year of birth, relationship tags, percentage of DNA shared with relatives, parentage references and self-reported location.
Hackers broke into about 14,000 23andMe customer accounts using their passwords from previous breaches, a technique known as password spraying. From those 14,000 accounts, hackers were able to harvest information about millions of other people because of an opt-in feature called DNA Relatives, which allowed users to automatically share some of their data with other people who had also opted in, with the goal of of the revelation of distant relatives. This way the hackers were able to harvest information for 6.9 million users by hacking only 14,000 accounts.
In a statement, ICO Commissioner John Edwards was quoted as saying that people “must trust that any organization handling their most sensitive personal information has appropriate security and safeguards in place”.
“This data breach has had an international impact and we look forward to working with our Canadian counterparts to ensure that the personal information of people in the UK is protected,” Edwards said.
The joint UK-Canada inquiry will examine the scope of the information exposed and the potential harm to victims. whether 23andMe “had adequate safeguards” to protect sensitive user data; and whether 23andMe “provided adequate notice” to the ICO and OPC.
23andMe spokesperson Andy Kill said in a statement that “23andMe acknowledges the joint investigation announced by Canada’s Privacy Commissioner and the UK Information Commissioner today. We intend to cooperate with the reasonable requests of these regulators regarding the credential stuffing attack discovered in October 2023.”
UPDATE, June 10, 12:53 p.m. ET: This story has been updated to include 23andMe’s comment.
