The Office of the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner’s Office (ICO) have announced a joint investigation into the October 2023 data breach at 23andMe, which compromised the genetic and personal data of nearly 7 million users.
UK Information Commissioner John Edwards and Canadian Privacy Commissioner Phillippe Dufresne will spearhead the investigation. The probe aims to determine the scope of the breach, the adequacy of 23andMe’s data protection measures, and whether the company complied with notification requirements under Canadian and UK laws.
The breach, which went undetected for five months, exposed sensitive information, including names, birth years, relationship labels, DNA shared percentages, ancestry reports, and self-reported locations. The hackers exploited a technique known as password spraying to gain access to approximately 14,000 accounts, and from there, they were able to scrape data on millions of users through 23andMe’s DNA Relatives opt-in feature.
“People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place,” said John Edwards. “This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
![](https://candid.technology/wp-content/uploads/2022/08/cyber-security-hacked-breach-1024x576.jpg)
Dufresne echoed the sentiment, highlighting the breach’s international ramifications and the critical need for cross-border cooperation in protein privacy rights.
23andMe, in response, has pledged full cooperation with the investigation. Andy Kill, a spokesperson for the company, told TechCrunch, “We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023.”
As genetic data is highly sensitive and immutable, ensuring robust security measures is paramount. This breach threatened individuals’ privacy and posed potential risks to their health, familial relationships, and personal safety. The joint investigation by OPC and ICO is a critical step towards addressing these vulnerabilities and enforcing the importance of stringent data protection measures.
The findings of this investigation will likely have far-reaching implications for the data protection landscape, particularly for companies handling sensitive personal information.
In the News: WWDC 2024: Apple Intelligence, iOS 18, macOS Sequoia and more