Information breached and 23andMe's security will be examined.
The UK’s Information Commissioner and the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the 23andMe data breach.
In the incident, an attacker was able to access around 14,000 individual 23andMe.com accounts via a credential stuffing effort, and having compromised those accounts, accessed information included in a significant number of DNA Relatives profiles and Family Tree feature profiles, each of which were connected to the compromised accounts.
The company said it did not have any indication that there was a data security incident within its systems, or that 23andMe was the source of the account credentials used in these attacks. Instead, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available.
Investigating jointly, the two commissioners said 23andMe “is a custodian of highly sensitive personal information, including genetic information which does not change over time.” As it reveals information about an individual and their family members, “this makes public trust in these services essential.”
The investigation will examine:
The scope of information that was exposed by the breach and potential harms to affected people
Whether 23andMe had adequate safeguards to protect the highly sensitive information within its control
Whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws
The UK Information Commissioner John Edwards said the breach had an international impact, and “people need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.”
Philippe Dufresne, Privacy Commissioner of Canada, said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
Each regulator will investigate compliance with the law that it oversees. No further comment will be made while the investigation is ongoing.
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
