UK and Canada join forces to probe 23andMe breach

23andmeThe UK and Canadian data regulators are joining forces to launch an investigation into the October 2023 data breach at the global direct-to-consumer genetic testing company 23andMe, which saw thousands of customers’ accounts compromised.

The UK’s Information Commissioner John Edwards and the Privacy Commissioner of Canada Philippe Dufresne will use the combined resources their two offices.

The US-based genetics company analyses its customers’ DNA through home saliva collection kits to provide insights on factors such as health and ancestry.

According to the company’s website, it has sold more than 12 million DNA testing kits since 2006. Demand for the service, which costs around £180.00, has grown as websites like have triggered huge demand from consumers keen to discover their genetic heritage.

But the data regulators insists that, as a custodian of highly sensitive personal information, including this genetic information which does not change over time, public trust in these services essential.

It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships.

Even so, company insists its systems were not hacked but rather criminals logged into about 14,000 individual accounts, or 0.1% of customers, by using email and password details previously exposed in other hacks.

The criminals downloaded not just the data from those accounts but the private information of all other users they had links to across the family trees on the website.

At the time, 23andMe said it informed affected customers and made them change their passwords and update account security.

The regulators say the joint investigation reflects their commitment to collaborate on protecting the fundamental right to privacy of individuals across jurisdictions.

It will examine the scope of information that was exposed by the breach and potential harms to affected people; whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws.

John Edwards said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.

“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Philippe Dufresne added: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination.

“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

Data protection and privacy legislation allows the privacy authorities of Canada and UK to work together on matters of impact across the two jurisdictions. Each regulator will investigate compliance with the law that it oversees.

Related stories
‘Threatening’ telemarketing firm hit with £80,000 fine
HelloFresh scorched for 80m illegal emails and texts
Nuisance call complaints soar 60% as rogues return
PECR wrecker recruitment firm hit with £130,000 fine
Wheels come off at Halfords over PECR email cock-up
ICO proves even a tiny PECR can be reputation wrecker

Print Friendly

Be the first to comment on "UK and Canada join forces to probe 23andMe breach"

Leave a comment