News Hub

UK and Canada team up for 23andMe data breach investigation

Written by Tue 11 Jun 2024

The UK Information Commissioner’s Office (ICO) has announced a joint investigation into the data breach of genetic testing company, 23andMe, with the Office of the Privacy Commissioner of Canada (OPC).

UK Information Commissioner, John Edwards, and Privacy Commissioner of Canada, Philippe Dufresne, will jointly investigate the October 2023 breach at 23andMe, pooling their resources and expertise for a comprehensive inquiry.

UK Information Commissioner, John Edwards, said people need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.

“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected,” said Edwards.

The ICO said 23andMe is a custodian of highly sensitive personal information, with the potential to reveal information about an individual and their family members. This can include their health, ethnicity, and biological relationships therefore public trust in these services are essential.

Privacy Commissioner of Canada, Philippe Dufresne, said in the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination.

“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world,” said Dufresne.

The joint investigation will assess the extent of data exposed in the breach, potential harms to those affected, 23andMe’s safeguard measures for sensitive data, and its compliance with Canadian and UK data protection laws regarding breach notification to regulators and affected individuals.

The 23andMe Breach

In October, 23andMe confirmed a hack in which data from millions of users had been stolen. Whilst the company said its systems were not breached, genetic information from 23andMe accounts appeared to be posted online by hackers. 

23andMe believed threat actors were able to access certain accounts in instances where users recycled login credentials.

Specifically, this occurred when the same usernames and passwords used on 23andMe.com matched those used on other websites that had suffered prior security breaches. This is known as credential stuffing.

In December, the breach, which initially seemed to affect a limited number of user accounts, appeared to have compromised the personal data of millions of users.

Join Tech Show Paris

27-28 November 2024, Porte de Versailles, Paris

Be a part of the latest tech conversations and discover pioneering innovations in Paris.

Don’t miss one of the most exciting technology events of the year for France.

Written by Tue 11 Jun 2024

Send us a correction Send us a news tip