Privacy watchdogs from the United Kingdom and Canada have embarked on a joint investigation following a data breach at the genetic testing company 23andMe.
This breach, disclosed by 23andMe last year, impacted the personal and genetic information of approximately 6.9 million users—nearly half of the company’s user base. The U.K.’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) are combining their resources and expertise to tackle the implications of this breach.
How Was the Breach Detected?
The breach, which came to light last year, was not detected by 23andMe until five months after it began. The company became aware of the breach in October 2023, when hackers advertised the stolen data on the unofficial 23andMe subreddit and a widely recognized hacking forum.
The exposed data included sensitive information such as users’ names, birth years, relationships, percentages of DNA shared with relatives, ancestry reports, and self-reported locations.
What Information Was Compromised?
The method employed by the hackers was identified as password spraying, where approximately 14,000 customer accounts were accessed using reused passwords from previous breaches.
These accounts were particularly vulnerable due to an opt-in feature called DNA Relatives. This feature allowed users to share parts of their genetic data with other users who had also opted in, with the intent of discovering distant relatives. However, this also facilitated the hackers in scraping detailed information on millions of users by initially breaching just 14,000 accounts.
ICO Commissioner John Edwards commented on the incident, stressing the necessity for organizations to maintain robust security measures when handling sensitive information. He highlighted the international scale of the data breach and the collaborative effort with Canadian authorities to ensure that UK residents’ personal information is safeguarded.
Moving Forward
The joint investigation by the ICO and OPC aims to scrutinize the extent of information that was exposed, evaluate the potential harm inflicted on the victims, ascertain whether 23andMe had sufficient security safeguards in place, and determine if the company conducted adequate notification procedures with the ICO and OPC.
In response to the ongoing investigation, 23andMe spokesperson Andy Kill expressed the company’s acknowledgement of the joint investigation and confirmed their commitment to cooperating with the regulatory bodies’ requests related to the attack.
Related News:
Featured Image courtesy of Justin Sullivan/Getty Images