23andMe faces UK and Canadian probe over data breach

6 days ago

Image: © Victor Moussa/Stock.adobe.com

The joint investigation will look at what was exposed in the massive breach and whether 23andMe had adequate safeguards to protect this data.

UK and Canadian authorities have announced a joint investigation into DNA testing company 23andMe because of a massive data breach that occurred last year.

The breach saw an threat actor steal personal data from nearly 7m customers by gaining access to a small number of accounts. 23andMe attributed the breach to customers using exposed passwords and failing to update their login information.

The company faced lawsuits as a result of the breach and stock price has tumbled. Now, data watchdogs plan to investigate the incident further.

The UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) will work together to investigate the breach. This investigation aims to uncover what was exposed in the breach, the potential harm for impacted people and 23andMe’s response to the incident.

The investigation will assess whether 23andMe had adequate safeguards to protect the data within its control and if it provided adequate notification about the breach to the two regulators and impacted customers.

In a joint statement, the ICO and OPC said 23andMe is a custodian of “highly sensitive personal information” including people’s health, ethnicity and biological data – information that “does not change over time”.

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said privacy commissioner of Canada Philippe Dufresne. “Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

23andMe said it will cooperate with the “reasonable requests” of the two data regulators.

The company previously said the stolen data related to a user’s ancestry which they would have chosen to share when opting in to 23andMe’s DNA Relatives feature. The company also said that this information “cannot be used for any harm” – though there were reports that the data was being sold on hacker forums.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com