Privacy regulators in Canada and the United Kingdom have initiated a collaborative inquiry into the genetic testing firm 23andMe in response to a major data breach, marking a significant step toward addressing the issue.
The sensitive personal information of almost 7 million users was compromised in a breach last year, leading to significant worries about data security and privacy.
The breach, which took place between April and September 2023, involved attackers using a credential-stuffing attack to gain access to approximately 14,000 user accounts.
Credential-stuffing is a technique where attackers use credentials obtained from other data breaches to access accounts on different platforms.
Once inside these accounts, the attackers were able to scrape data on millions of other individuals due to an opt-in feature called DNA Relatives, which allows users to share data with others to discover distant relatives.
This led to the exposure of data for 6.9 million users, including names, birth years, relationship labels, DNA percentage shares with relatives, ancestry reports, and self-reported locations.
Scope of the Investigation
The joint investigation will be conducted by the Information Commissioner’s Office (ICO) in the United Kingdom and the Office of the Privacy Commissioner of Canada (OPC).
The primary objectives of the investigation are to assess the extent of the exposed information, evaluate the potential harm to the victims, and determine whether 23andMe had adequate safeguards in place to protect users’ sensitive data.
Additionally, the investigation will scrutinize whether the company provided timely and adequate notification to the affected individuals and the relevant privacy regulators as required by Canadian and UK privacy and data protection laws.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
Philippe Dufresne, the Privacy Commissioner of Canada, emphasized the importance of protecting genetic information, stating, “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world”.
John Edwards, the UK Information Commissioner, echoed these concerns, highlighting the need for robust security measures. “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected”.
23andMe’s Response
In response to the breach, 23andMe has implemented several security measures, including requiring all customers to reset their passwords and enabling two-factor authentication by default for all new and existing customers.
The company has also updated its Terms of Use to make it more challenging for customers to join class action lawsuits, a move that some have criticized as a “scumbag corporate move”.
The joint investigation by the ICO and OPC represents a coordinated effort to address the transnational nature of the data breach and ensure that the personal information of individuals in both countries is adequately protected.
The investigation’s findings could have significant implications for 23andMe and other companies handling sensitive genetic data, potentially leading to stricter regulatory requirements and enhanced security measures.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo