The UK and Canada are joining forces to investigate genetic testing company 23andMe after a data breach in October 2023 exposed the personal information of 6.9 million people. Hackers were able to access family trees, birth years, and geographic locations by using customers’ old passwords.
Although the stolen data did not include DNA records, the joint taskforce will be looking into whether adequate safeguards were in place to protect such sensitive information. 23andMe has stated that they will cooperate with the regulators’ requests during the investigation.
While the company itself was not hacked, criminals were able to log into about 14,000 individual accounts by using email and password details from previous data breaches. This allowed them to download not only the data from those accounts but also the private information of all other users linked through family trees on the website.
The UK Information Commissioner’s Office emphasized the importance of trust in services like 23andMe, as the data stored can reveal information about an individual’s health, ethnicity, and biological relationships. The investigation will also focus on the potential harm to users and how 23andMe reported the breach.
Canada’s privacy commissioner, Philippe Dufresene, highlighted the risks of genetic information falling into the wrong hands, as it could be misused for surveillance or discrimination. The joint investigation will delve into the size of the hack and whether 23andMe followed the correct processes in both the UK and Canada.
As one of the leaders in the ancestor-tracing industry, 23andMe offers genetic testing with ancestry breakdown and personalized health insights. This breach serves as a reminder of the importance of robust data protection measures in an increasingly digital world.