23andMe subjected to investigation due to data breach
The Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the data breach that happened at 23andMe.
23andMe is a South San Francisco-based company where people can have their DNA tested for customer’s ancestry and genetic predisposition to health-related topics.
In October 2023, 23andMe was hit by a credential stuffing attack. In the attack, hackers managed to gain access to 0.1 percent of all accounts, which is about 14,000 profiles.
The attackers were also able to enable DNA Relatives, a feature that allows users to automatically share some of their data with distant relatives. Because of that the private data of 6.9 million users was up for grabs, including full names, dates of birth, location data, relationship status, health and family tree data, and information that users voluntarily shared to get in touch with descendants.
‘Public trust in these services is essential’
The security incident at 23andMe is far from over. The British and Canadian privacy authorities have launched a joint investigation into the matter. In a joint statement they say:
“23andMe is a custodian of highly sensitive personal information, including genetic information which does not change over time. It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships. This makes public trust in these services essential.”
Both agencies will examine the scope of information that was exposed by the data breach and potential harms to affected people. Next they will determine whether 23andMe had adequate safeguards in place to protect sensitive information. Lastly, the data protection authorities (DPAs) will rule whether the company provided decent notification to the regulators and affected customers.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world,” Philippe Dufresne, Privacy Commissioner of Canada, said in a statement.
Your email address will not be published. Required fields are marked