Privacy watchdogs in the UK and Canada have launched a joint investigation into the 23andMe data breach last year.
On Monday, the UK's Information Commissioner's Office (ICO) and Canada's Office of the Privacy Commissioner (OPC) announced investigations into genetic testing companies, saying the organizations would leverage “the combined resources and expertise of both agencies.”
23andMe disclosed a security incident last year that affected the genetic and ancestry data of 6.9 million users, about half of its total user base. The company said in its data breach notice that it did not detect the hackers' activity for about five months, between April and September 2023. 23andMe said it first became aware of the account breach in October 2023, when the hackers promoted the stolen data on a private 23andMe subreddit and a well-known hacking forum.
The stolen data included individuals’ names, dates of birth, relationship labels, percentage of DNA shared with relatives, ancestry reports, and self-reported locations.
The hackers broke into around 14,000 23andMe customer accounts using a technique known as password spraying, reusing passwords from previous intrusions. From these 14,000 accounts, the hackers were able to harvest information on millions of other people through an opt-in feature called DNA Relatives, which allowed users to automatically share some of their data with other users who also opted in, with the aim of discovering distant relatives. In this way, by hacking just 14,000 accounts, the hackers were able to gather information on 6.9 million users.
“People need to trust that the organisations handling their most sensitive personal information have the right security and safeguards in place,” ICO Commissioner John Edwards was quoted as saying in a statement.
“This data breach has had international implications and we look forward to working with Canadian authorities to ensure that the personal information of people in the UK is protected,” Edwards said.
The joint UK and Canadian investigation will look into the scope of the information that was leaked and the potential harm to victims, whether 23andMe “had put in place appropriate safeguards” to protect its users' sensitive data, and whether 23andMe “gave appropriate notice” to the ICO and OPC.
“23andMe is aware of the joint investigation announced today by the Privacy Commissioner of Canada and the U.K. Information Commissioner. We intend to cooperate with any reasonable requests of these regulators regarding the credential stuffing attack discovered in October 2023,” 23andMe spokesman Andy Kill said in a statement.
Update, June 10, 12:53 p.m. ET: This article has been updated to add comment from 23andMe.