Privacy watchdogs in the U.K. and Canada have initiated a joint probe into last year’s data breach at 23andMe.
On Monday, the U.K.’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced their investigation into the genetic testing company, stating they will use “the combined resources and expertise of their two offices.”
Last year, 23andMe revealed a security breach that compromised the genetic and ancestry information of 6.9 million users, approximately half of its total user base. In its breach notifications, the company mentioned it didn’t detect the hackers’ activities for around five months, from April until September 2023. 23andMe became aware of the account breaches in October 2023, when hackers advertised the stolen data on the unofficial 23andMe subreddit and a renowned hacking forum.
The stolen information included individuals’ names, birth years, relationship labels, DNA percentage shared with relatives, ancestry reports, and self-reported locations.
Hackers infiltrated about 14,000 accounts of 23andMe customers by reusing their passwords from prior breaches, a tactic known as password spraying. From those 14,000 accounts, the hackers managed to extract information on millions more due to an opt-in feature named DNA Relatives, which allowed users to automatically share certain data with other opt-in users, aimed at discovering distant relatives. This is how hackers scraped information on 6.9 million users by only breaching 14,000 accounts.
In a statement, ICO Commissioner John Edwards stated that people “need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place.”
“This data breach had an international impact, and we look forward to working with our Canadian colleagues to ensure the personal information of people in the U.K. is protected,” Edwards added.
The joint U.K.-Canada investigation will explore the scope of information exposed and the potential harm to victims; whether 23andMe “had adequate safeguards” to protect user data; and if 23andMe “provided adequate notification” to the ICO and the OPC.
23andMe representatives did not immediately reply to a request for comment.
