Header image

UK and Canadian Commissioners Investigate DNA Breach

Information breached and 23andMe's security will be examined.

The UK’s Information Commissioner and the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the 23andMe data breach.

In the incident, an attacker was able to access around 14,000 individual 23andMe.com accounts via a credential stuffing effort, and having compromised those accounts, accessed information included in a significant number of DNA Relatives profiles and Family Tree feature profiles, each of which were connected to the compromised accounts.

The company said it did not have any indication that there was a data security incident within its systems, or that 23andMe was the source of the account credentials used in these attacks. Instead, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available.

Investigating jointly, the two commissioners said 23andMe “is a custodian of highly sensitive personal information, including genetic information which does not change over time.” As it reveals information about an individual and their family members, “this makes public trust in these services essential.”

The investigation will examine:


  • The scope of information that was exposed by the breach and potential harms to affected people

  • Whether 23andMe had adequate safeguards to protect the highly sensitive information within its control

  • Whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws

International Impact

The UK Information Commissioner John Edwards said the breach had an international impact, and “people need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.”

Philippe Dufresne, Privacy Commissioner of Canada, said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

Each regulator will investigate compliance with the law that it oversees. No further comment will be made while the investigation is ongoing.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

08
Aug
Webinar

How to Automate the Lifecycle of Joiners, Movers, and Leavers With No-Code Solutions

Streamlining the lifecycle of joiners, movers, and leavers using no-code automation

The process of onboarding new employees and quickly removing departing staff profiles can be both time-consuming and labour-intensive.
In this live webinar, we will look at how to streamline these processes to save time and resources, and providing a smooth experience for both admins and employees.

Key takeaways:
  • Understanding the importance of securing the joiners, movers and leavers process
  • Exploring successful attacks that occurred due to errors in managing these transitions
  • Discover which advanced controls can be utilized
image image image