Genetic testing firm 23andMe is facing the combined scrutiny of the UK and Canadian data protection authorities following a major data breach incident last year.
The Information Commissioner’s Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) said yesterday that they are launching a joint investigation into the October 2023 breach.
Threat actors managed to access 6.9 million customers’ personal data by using credential stuffing techniques. They targeted around 14,000 accounts protected only by passwords that had been used elsewhere and exposed in other breaches.
They then used a DNA Relatives feature to access other users’ personal information – even though this second group were not directly to blame for what happened.
The firm was subsequently criticized for its hardline response to legal action from some of these customers. It effectively blamed the incident on the poor password security of the 14,000 users who were initially targeted and claimed that any information accessed by the hackers “cannot be used for any harm.”
Although the stolen data didn’t contain social security numbers, driver’s license numbers or any payment or financial information, it did include information on family history, birth dates and geographic locations, among other things.
The UK’s ICO claimed that the data 23andMe stores is “highly sensitive” and can reveal information about family members including health, ethnicity and biological relationships – making trust in such services essential.
The coming investigation will look at:
- The scope of the breach and potential harms to impacted customers
- Whether 23andMe had sufficient safeguards in place
- Whether the firm provided adequate notification to the regulators
“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place,” said information commissioner, John Edwards.
“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
Although each regulator will investigate compliance with the law that it oversees, they will both be able to take advantage of the two offices’ combined resources and expertise.
Image credit: Lets Design Studio / Shutterstock.com