Privacy watchdogs in the UK and Canada launched a joint investigation into a data breach at 23andMe last year.
On Monday, the UK’s Information Commissioner’s Office (ICO) and Canada’s Office of the Privacy Commissioner (OPC) announced its investigation in the genetic testing company, saying the organization would leverage “the combined resources and expertise of their two offices.”
Last year, 23andMe revealed a security incident that affected the genetic and ancestry data of 6.9 million users, or about half of its entire user base. In its data breach notification, the company said it did not detect any hacker activity for approximately five months, from April to September 2023. 23andMe said it was not aware of the breach account until October 2023, when hackers announced the stolen data on an unofficial 23andMe site. subreddit and a well-known hacking discussion forum.
The stolen data includes the person’s name, year of birth, relationship tag, percentage of DNA shared with relatives, ancestry report, and self-reported location.
The hackers broke into approximately 14,000 23andMe customer accounts by reusing their passwords from previous breaches, a technique known as password spraying. From these 14,000 accounts, the hackers were able to collect information on millions of other people through a membership feature called DNA Family Members, which allows users to automatically share some of their data with other people who also register, with the aim of discovering distant relatives. This is how hackers were able to recover the information of 6.9 million users by simply hacking 14,000 accounts.
In a statement, ICO Commissioner John Edwards said the public “must be confident that any organization handling their most sensitive personal information has appropriate security and protection in place.”
“This data breach has international implications, and we look forward to working with our Canadian colleagues to ensure the personal information of people in the UK is protected,” Edwards said.
The joint UK-Canada investigation will examine the scope of the information revealed and the potential harm victims could suffer; whether 23andMe “has adequate safeguards” to protect sensitive user data; and whether 23andMe “provided adequate notice” to the ICO and OPC.
A spokesperson for 23andMe did not immediately respond to a request for comment.
“Evil pop culture fanatic. Extreme bacon geek. Food junkie. Thinker. Hipster-friendly travel nerd. Coffee buff.”