The UK’s Information Commissioner and the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the 23andMe data breach.

In the incident, an attacker was able to access around 14,000 individual 23andMe.com accounts via a credential stuffing effort, and having compromised those accounts, accessed information included in a significant number of DNA Relatives profiles and Family Tree feature profiles, each of which were connected to the compromised accounts.

The company said it did not have any indication that there was a data security incident within its systems, or that 23andMe was the source of the account credentials used in these attacks. Instead, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available.

Investigating jointly, the two commissioners said 23andMe “is a custodian of highly sensitive personal information, including genetic information which does not change over time.” As it reveals information about an individual and their family members, “this makes public trust in these services essential.”

The investigation will examine:

• The scope of information that was exposed by the breach and potential harms to affected people

• Whether 23andMe had adequate safeguards to protect the highly sensitive information within its control

• Whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws

International Impact

The UK Information Commissioner John Edwards said the breach had an international impact, and “people need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.”

Philippe Dufresne, Privacy Commissioner of Canada, said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

Each regulator will investigate compliance with the law that it oversees. No further comment will be made while the investigation is ongoing.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.