Privateness watchdogs within the U.Ok. and Canada have launched a joint investigation into the data breach at 23andMe final yr.
On Monday, the U.Ok,’s Info Commissioner’s Workplace (ICO) and the Workplace of the Privateness Commissioner of Canada (OPC) introduced their investigation into the genetic testing firm, saying the organizations will leverage “the mixed assets and experience of their two places of work.”
Final yr, 23andMe disclosed a security incident that affected the genetic and ancestry knowledge of 6.9 million customers, or roughly half of its general consumer base. In its data breach notices, the corporate mentioned it didn’t detect the hackers’ actions for round 5 months, from April till September 2023. 23andMe mentioned it solely grew to become conscious of the account breaches in October 2023, when hackers marketed the stolen knowledge on the unofficial 23andMe subreddit and a widely known hacking discussion board.
The stolen knowledge included the particular person’s title, beginning yr, relationship labels, the share of DNA shared with kinfolk, ancestry studies, and self-reported location.
Hackers broke into round 14,000 accounts of 23andMe clients by reusing their passwords from earlier breaches, a way often called password spraying. From these 14,000 accounts, the hackers had been capable of scrape info on hundreds of thousands of different individuals due to an opt-in characteristic referred to as the DNA Kinfolk, which allowed customers to mechanically share a few of their knowledge with different individuals who additionally had opted-in, with the aim of uncovering far-away kinfolk. That’s how the hackers had been capable of scrape info on 6.9 million customers by solely hacking 14,000 accounts.
In an announcement, ICO Commissioner John Edwards was quoted as saying that individuals “have to belief that any organisation dealing with their most delicate private info has the suitable security and safeguards in place.”
“This data breach had a global influence, and we sit up for collaborating with our Canadian counterparts to make sure the private info of individuals within the U.Ok. is protected,” mentioned Edwards.
The joint U.Ok.-Canada investigation will look into the scope of knowledge uncovered and the potential hurt to the victims; whether or not 23andMe “had sufficient safeguards” to guard customers’ delicate knowledge; and whether or not 23andMe “offered sufficient notification” to the ICO and the OPC.
23andMe spokespeople didn’t instantly reply to a request for remark.
