UK & Canadian Data Regulators Investigate 23andMe Over 2023 Data Breach
Data protection regulators in the United Kingdom and Canada have launched a joint investigation of 23andMe over its 2023 data breach that affected almost 7 million people – around half of its customers.
23andMe is a direct-to-consumer genetic testing company that analyzes customers’ DNA from saliva samples and provides customers insights into their health and ancestry. In October 2023, a hacker claimed to have accessed users’ profile information of users and offered the data for sale. 23andMe investigated the hacker’s claims and determined that its systems had not been compromised; however, customers’ accounts had been accessed in a credential stuffing campaign. Credential stuffing attacks involve using passwords obtained in a breach at one or more companies to log in to accounts on an unrelated platform. This technique will only work if passwords are reused on multiple platforms.
23andMe’s investigation confirmed that around 14,000 user accounts were compromised in a campaign that ran for around 5 months from April 2023 to September 2023. Those users had sensitive profile data compromised, along with a further 5.5 million customers who opted into its DNA Relatives feature which allows customers to find and connect with genetic relatives. A group of around 1.4 million customers who opted into that feature also had their family tree profile information accessed. The family tree information included names, relationship labels, self-reported location, and birth year.
UK information commissioner, John Edwards, and the privacy commissioner of Canada, Philippe Dufresne, initiated an investigation of 23andMe to determine whether adequate safeguards had been implemented at 23andMe. While password reuse allowed hackers to access individual accounts, the breach had an international impact and resulted in the exposure and theft of the data of millions of users.
While 23andMe blames customers for poor security practices, the investigation will seek to establish whether 23andMe should have done more to protect customer data. The data regulators are also looking to confirm the scope of the breach, the potential harm that can be caused to consumers, and whether the company complied with data breach notification laws and provided sufficient information to the regulators and affected individuals. 23andMe issued a statement confirming that the company will “cooperate with these regulators’ reasonable requests.”
“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place,” said Edwards. “This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Dufresne. “Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
